new server for website

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

new server for website

Charlie Allom-2

you may have seen some hiccups earlier as I switched the DNS for the dp
website and now have migrated the site to the new server (sampson).

there is one bug I can see, and that is that the "available ports"
page doesn't actually return anything from it's <form>.

Anyone who can lend a hand here with the PHP (it's in CVS) gets a gold
star from me.

Regards,
  C.
--
 hail eris
 http://rubberduck.com/

_______________________________________________
Darwinports mailing list
[hidden email]
http://www.opendarwin.org/mailman/listinfo/darwinports

attachment0 (161 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: new server for website

Bryan Blackburn-2
On Mar 30, 2006, at 1:36 AM, Charlie Allom wrote:
>
> you may have seen some hiccups earlier as I switched the DNS for  
> the dp
> website and now have migrated the site to the new server (sampson).
>
> there is one bug I can see, and that is that the "available ports"
> page doesn't actually return anything from it's <form>.
>

I'm guessing sampson has register_globals set to off in its PHP  
configuration?  If so, then it looks like that script (and possibly  
other PHP scripts) will need to be modified to take that into account  
(a quick glance reveals "$PHP_SELF for example)...

Bryan


> Anyone who can lend a hand here with the PHP (it's in CVS) gets a gold
> star from me.
>
> Regards,
>   C.
> --
>  hail eris
>  http://rubberduck.com/

_______________________________________________
Darwinports mailing list
[hidden email]
http://www.opendarwin.org/mailman/listinfo/darwinports
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: new server for website

Charlie Allom-2
On Thu, Mar 30, 2006 at 02:01:48AM -0700, Bryan Blackburn wrote:

> On Mar 30, 2006, at 1:36 AM, Charlie Allom wrote:
> >
> >you may have seen some hiccups earlier as I switched the DNS for  
> >the dp
> >website and now have migrated the site to the new server (sampson).
> >
> >there is one bug I can see, and that is that the "available ports"
> >page doesn't actually return anything from it's <form>.
> >
>
> I'm guessing sampson has register_globals set to off in its PHP  
> configuration?  If so, then it looks like that script (and possibly  
> other PHP scripts) will need to be modified to take that into account  
> (a quick glance reveals "$PHP_SELF for example)...
yes i figured this was the issue - what can I do to solve it?

--
 hail eris
 http://rubberduck.com/

_______________________________________________
Darwinports mailing list
[hidden email]
http://www.opendarwin.org/mailman/listinfo/darwinports

attachment0 (161 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: new server for website

Ryan Schmidt-8
>> I'm guessing sampson has register_globals set to off in its PHP
>> configuration?  If so, then it looks like that script (and possibly
>> other PHP scripts) will need to be modified to take that into account
>> (a quick glance reveals "$PHP_SELF for example)...
>
> yes i figured this was the issue - what can I do to solve it?

Recommended: Rewrite the PHP files to use the relevant superglobal  
array (in this case, $_SERVER['PHP_SELF']).

http://www.php.net/reserved.variables


Not recommended, because register_globals is most likely a security  
risk, especially since your source is public: Turn on  
register_globals (.htaccess file or vhost configuration directive  
"php_flag register_globals on")

http://www.php.net/security.globals


_______________________________________________
Darwinports mailing list
[hidden email]
http://www.opendarwin.org/mailman/listinfo/darwinports
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: new server for website

Charlie Allom-2
On Thu, Mar 30, 2006 at 11:46:41AM +0200, Ryan Schmidt wrote:
> >>I'm guessing sampson has register_globals set to off in its PHP
> >>configuration?  If so, then it looks like that script (and possibly
> >>other PHP scripts) will need to be modified to take that into account
> >>(a quick glance reveals "$PHP_SELF for example)...
> >
> >yes i figured this was the issue - what can I do to solve it?
>
> Recommended: Rewrite the PHP files to use the relevant superglobal  
> array (in this case, $_SERVER['PHP_SELF']).

yes i'd already tried replacing the former with this, but no love.
replacing them all also gives nothing new.

  C.
--
 hail eris
 http://rubberduck.com/

_______________________________________________
Darwinports mailing list
[hidden email]
http://www.opendarwin.org/mailman/listinfo/darwinports

attachment0 (161 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: new server for website

Charlie Allom-2
In reply to this post by Ryan Schmidt-8
On Thu, Mar 30, 2006 at 11:46:41AM +0200, Ryan Schmidt wrote:
> >>I'm guessing sampson has register_globals set to off in its PHP
> >>configuration?  If so, then it looks like that script (and possibly
> >>other PHP scripts) will need to be modified to take that into account
> >>(a quick glance reveals "$PHP_SELF for example)...
> >
> >yes i figured this was the issue - what can I do to solve it?
>
> Recommended: Rewrite the PHP files to use the relevant superglobal  
> array (in this case, $_SERVER['PHP_SELF']).

does this help?

adding <?  extract($_GET); ?> fixes it.

what is it using in _GET ?
--
 hail eris
 http://rubberduck.com/

_______________________________________________
Darwinports mailing list
[hidden email]
http://www.opendarwin.org/mailman/listinfo/darwinports

attachment0 (161 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: new server for website

Ryan Schmidt-8
On Mar 30, 2006, at 12:15, Charlie Allom wrote:

>> Recommended: Rewrite the PHP files to use the relevant superglobal
>> array (in this case, $_SERVER['PHP_SELF']).
>
> does this help?
>
> adding <?  extract($_GET); ?> fixes it.

In other words, you have just simulated register_globals, including  
its security implications.


> what is it using in _GET ?

I'm afraid I haven't looked at the code yet and have other pressing  
commitments at the moment. :-(


_______________________________________________
Darwinports mailing list
[hidden email]
http://www.opendarwin.org/mailman/listinfo/darwinports
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: new server for website

James Berry-3
In reply to this post by Charlie Allom-2

On Mar 30, 2006, at 2:15 AM, Charlie Allom wrote:

> On Thu, Mar 30, 2006 at 11:46:41AM +0200, Ryan Schmidt wrote:
>>>> I'm guessing sampson has register_globals set to off in its PHP
>>>> configuration?  If so, then it looks like that script (and possibly
>>>> other PHP scripts) will need to be modified to take that into  
>>>> account
>>>> (a quick glance reveals "$PHP_SELF for example)...
>>>
>>> yes i figured this was the issue - what can I do to solve it?
>>
>> Recommended: Rewrite the PHP files to use the relevant superglobal
>> array (in this case, $_SERVER['PHP_SELF']).
>
> does this help?
>
> adding <?  extract($_GET); ?> fixes it.
>
> what is it using in _GET ?

Charlie,

The scripts should get at request variables using $_REQUEST
['varname'] instead of $varname.

Unfortunately, the 24-hr build/test cycle makes this tough to test  
and fix... ;)

-jdb


> --
>  hail eris
>  http://rubberduck.com/
> _______________________________________________
> Darwinports mailing list
> [hidden email]
> http://www.opendarwin.org/mailman/listinfo/darwinports

_______________________________________________
Darwinports mailing list
[hidden email]
http://www.opendarwin.org/mailman/listinfo/darwinports
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: new server for website

Ryan Schmidt-8
On Mar 30, 2006, at 18:23, James Berry wrote:

>> does this help?
>>
>> adding <?  extract($_GET); ?> fixes it.
>>
>> what is it using in _GET ?
>
> The scripts should get at request variables using $_REQUEST
> ['varname'] instead of $varname.

One should use $_GET or $_POST depending on which one is meant.

Attached is my diff for the current CVS version of ports.php,  
changing the following things:

* don't assume register_globals is on; use $_GET and $_SERVER where  
appropriate
* don't use short open tags
* use mysql_real_escape_string() where appropriate, instead of  
addslashes() or nothing
* use htmlspecialchars() where appropriate instead of nothing
* use urlencode() where appropriate instead of nothing
* simplify appending to variables (using append operator)
* use &amp; between GET parameters in URLs instead of just &
* fix search button label
* fix indentation in heading and footer

My version passes a syntax check with "php -l" but I can't make any  
further statement about whether it'll actually fix the problem  
completely. I haven't looked at any of the other files yet, such as  
the included PHP files.


_______________________________________________
Darwinports mailing list
[hidden email]
http://www.opendarwin.org/mailman/listinfo/darwinports
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: new server for website

James Berry-3

On Mar 30, 2006, at 9:20 AM, Ryan Schmidt wrote:

> On Mar 30, 2006, at 18:23, James Berry wrote:
>
>>> does this help?
>>>
>>> adding <?  extract($_GET); ?> fixes it.
>>>
>>> what is it using in _GET ?
>>
>> The scripts should get at request variables using $_REQUEST
>> ['varname'] instead of $varname.
>
> One should use $_GET or $_POST depending on which one is meant.

Security-wise, this shouldn't make much of a difference. I've found  
$_REQUEST gives me more flexibility. But I won't argue about it... ;)

>
> Attached is my diff for the current CVS version of ports.php,  
> changing the following things:

All right! Hopefully charlie can apply the patch and test it out.  
Otherwise the change/test cycle get's pretty long and we end up with  
a site that's broken for the long term.

Thanks again for putting this together.

James.

>
> * don't assume register_globals is on; use $_GET and $_SERVER where  
> appropriate
> * don't use short open tags
> * use mysql_real_escape_string() where appropriate, instead of  
> addslashes() or nothing
> * use htmlspecialchars() where appropriate instead of nothing
> * use urlencode() where appropriate instead of nothing
> * simplify appending to variables (using append operator)
> * use &amp; between GET parameters in URLs instead of just &
> * fix search button label
> * fix indentation in heading and footer
>
> My version passes a syntax check with "php -l" but I can't make any  
> further statement about whether it'll actually fix the problem  
> completely. I haven't looked at any of the other files yet, such as  
> the included PHP files.
>
> <ports.php.diff.gz>

_______________________________________________
Darwinports mailing list
[hidden email]
http://www.opendarwin.org/mailman/listinfo/darwinports
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: new server for website

Chris-158
Hello,
Not sure if this (still?) applies. But clicking on an individual
catagory simply returns you to the ports index page. eg;
choosting: x11 - http://darwinports.org/ports/ports.php?by=cat&substr=x11
returns *exactly* the same thing as:
http://darwinports.org/ports/

Just thought it was worth mentioning.

--Chris

P.S.
Wouldn't a fast and safe solution for a relatively uninitiated PHP coder
been to have used standard HTML GET POST FORM options; as opposed to the
PHP(3 || 4 || 5) alternative(s)?

Quoting James Berry <[hidden email]>:

>
> On Mar 30, 2006, at 9:20 AM, Ryan Schmidt wrote:
>
>> On Mar 30, 2006, at 18:23, James Berry wrote:
>>
>>>> does this help?
>>>>
>>>> adding <?  extract($_GET); ?> fixes it.
>>>>
>>>> what is it using in _GET ?
>>>
>>> The scripts should get at request variables using $_REQUEST
>>> ['varname'] instead of $varname.
>>
>> One should use $_GET or $_POST depending on which one is meant.
>
> Security-wise, this shouldn't make much of a difference. I've found  
> $_REQUEST gives me more flexibility. But I won't argue about it... ;)
>
>>
>> Attached is my diff for the current CVS version of ports.php,  
>> changing the following things:
>
> All right! Hopefully charlie can apply the patch and test it out.  
> Otherwise the change/test cycle get's pretty long and we end up with  
> a site that's broken for the long term.
>
> Thanks again for putting this together.
>
> James.
>
>>
>> * don't assume register_globals is on; use $_GET and $_SERVER where  
>> appropriate
>> * don't use short open tags
>> * use mysql_real_escape_string() where appropriate, instead of  
>> addslashes() or nothing
>> * use htmlspecialchars() where appropriate instead of nothing
>> * use urlencode() where appropriate instead of nothing
>> * simplify appending to variables (using append operator)
>> * use &amp; between GET parameters in URLs instead of just &
>> * fix search button label
>> * fix indentation in heading and footer
>>
>> My version passes a syntax check with "php -l" but I can't make any  
>> further statement about whether it'll actually fix the problem  
>> completely. I haven't looked at any of the other files yet, such as  
>> the included PHP files.
>>
>> <ports.php.diff.gz>
>
> _______________________________________________
> Darwinports mailing list
> [hidden email]
> http://www.opendarwin.org/mailman/listinfo/darwinports
>



--
Microsoft:
Disc space -- the final frontier!

-----------------------------------------------------------------
FreeBSD 5.4-RELEASE-p12 (SMP - 900x2) Tue Mar 7 19:37:23 PST 2006
/////////////////////////////////////////////////////////////////

_______________________________________________
Darwinports mailing list
[hidden email]
http://www.opendarwin.org/mailman/listinfo/darwinports
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: new server for website

Charlie Allom-2
In reply to this post by Ryan Schmidt-8
On Thu, Mar 30, 2006 at 07:20:14PM +0200, Ryan Schmidt wrote:
>
> Attached is my diff for the current CVS version of ports.php,  
> changing the following things:

this is so cool i shall buy you a beer. where do you live?

> * use htmlspecialchars() where appropriate instead of nothing

this actually turns "Maintained by:" line into quoting the <span> tag.

Can i just leave this as print $addr; ?

> further statement about whether it'll actually fix the problem  
> completely. I haven't looked at any of the other files yet, such as  
> the included PHP files.

so rockin!

--
 hail eris
 http://rubberduck.com/

_______________________________________________
Darwinports mailing list
[hidden email]
http://www.opendarwin.org/mailman/listinfo/darwinports

attachment0 (161 bytes) Download Attachment
Loading...