# HG changeset patch # User Dan # Date 1182606958 14400 # Node ID ad5986a53197eb55da849e9f15fc6ad86cc7763c # Parent ce6053bb48d8038ee219a07988c79937f8c48b2f Fixed complicated SQL injection vulnerability in URL handler, updated license info for Tigra Tree Menu, and killed one XSS vulnerability diff -r ce6053bb48d8 -r ad5986a53197 TODO --- a/TODO Fri Jun 22 18:42:26 2007 -0400 +++ b/TODO Sat Jun 23 09:55:58 2007 -0400 @@ -24,7 +24,7 @@ [x] Change the string shown on a successful re-auth into elevated privileges [x] ...and write a function that converts a numeric userlevel to a string [x] Make Special:Login remember parameters (target level, target page) even on auth fail -[ ] Register users_extra table in system tables list (already done?) +[x] Register users_extra table in system tables list (already done?) [x] Trigger form submit on press of enter in Dynano login form [ ] Rewrite the change theme dialog - it's archaic code that hasn't changed since beta 1! [ ] This should be the next-to-last step in phasing out the JWS code, which should be removed in the first 1.1 alpha diff -r ce6053bb48d8 -r ad5986a53197 ajax.php diff -r ce6053bb48d8 -r ad5986a53197 includes/clientside/static/admin-menu.js --- a/includes/clientside/static/admin-menu.js Fri Jun 22 18:42:26 2007 -0400 +++ b/includes/clientside/static/admin-menu.js Sat Jun 23 09:55:58 2007 -0400 @@ -27,7 +27,11 @@ * * - Header block of script file (tree.js) CAN NOT be modified or removed. * - The above items CAN NOT be sold as are, either individually or together. - * - The above items CAN NOT be modified and then sold as a library component, either individually or together. + * - The above items CAN NOT be modified and then sold as a library component, either individually or together. + * + * Due to the unclear licensing conditions on this script, I contacted the author, who said that because Enano + * is not a "competing product" I was allowed to treat the code as GPL. The conversation can be seen in the + * /licenses/tigra-menu.html document in the Enano distribution. */ var ck = readCookie('admin_menu_state'); diff -r ce6053bb48d8 -r ad5986a53197 includes/clientside/static/ajax.js --- a/includes/clientside/static/ajax.js Fri Jun 22 18:42:26 2007 -0400 +++ b/includes/clientside/static/ajax.js Sat Jun 23 09:55:58 2007 -0400 @@ -466,6 +466,13 @@ function ajaxChangeStyle() { + var inner_html = ''; + inner_html += ''; +} + +/* +function ajaxChangeStyle() +{ var win = document.getElementById("cn2"); win.innerHTML = ' \

\ @@ -501,6 +508,7 @@ } }); } +*/ function ajaxSwapCSS() { setAjaxLoading(); diff -r ce6053bb48d8 -r ad5986a53197 includes/dbal.php --- a/includes/dbal.php Fri Jun 22 18:42:26 2007 -0400 +++ b/includes/dbal.php Sat Jun 23 09:55:58 2007 -0400 @@ -80,7 +80,7 @@ ob_clean(); } header('HTTP/1.1 500 Internal Server Error'); - $bt = $this->sql_backtrace(); + $bt = $this->latest_query; // $this->sql_backtrace(); $e = htmlspecialchars(mysql_error()); if($e=='') $e='<none>'; if(defined('ENANO_CONFIG_FETCHED')) die_semicritical('Database error', '

An error occurred during a database query.

'.$t.'
Error returned by MySQL: '.$e.'
SQL Backtrace:

'.$bt.'

'); diff -r ce6053bb48d8 -r ad5986a53197 includes/functions.php --- a/includes/functions.php Fri Jun 22 18:42:26 2007 -0400 +++ b/includes/functions.php Sat Jun 23 09:55:58 2007 -0400 @@ -1443,6 +1443,12 @@ } + // Vulnerability from ha.ckers.org/xss.html: + // "; - + $tpl_strings = Array( - 'PAGE_NAME'=>$paths->cpage['name'], - 'PAGE_URLNAME'=>$paths->cpage['urlname'], + 'PAGE_NAME'=>htmlspecialchars($paths->cpage['name']), + 'PAGE_URLNAME'=> $urlname_clean, 'SITE_NAME'=>getConfig('site_name'), 'USERNAME'=>$session->username, 'SITE_DESC'=>getConfig('site_desc'), diff -r ce6053bb48d8 -r ad5986a53197 index.php --- a/index.php Fri Jun 22 18:42:26 2007 -0400 +++ b/index.php Sat Jun 23 09:55:58 2007 -0400 @@ -14,7 +14,7 @@ // Set up gzip encoding before any output is sent - $aggressive_optimize_html = true; + $aggressive_optimize_html = false; global $do_gzip; $do_gzip = false; diff -r ce6053bb48d8 -r ad5986a53197 licenses/index.html --- a/licenses/index.html Fri Jun 22 18:42:26 2007 -0400 +++ b/licenses/index.html Sat Jun 23 09:55:58 2007 -0400 @@ -82,8 +82,9 @@

phpWiki - just the diff engine, which is also used in MediaWiki
MediaWiki's table parsing engine (the Text_Wiki one doesn't work in PHP 5.2.0)
One of the CAPTCHA easter eggs was ported from the phpBB Advanced Visual Confirmation Mod. The strange thing here is this: The installation instructions expressly state that the MOD is distributed under the GPL, but immediately afterwards it says that the MOD "can be freely used, but not distributed, without permission." Sorry buddy, but I'm with the FSF on this one, I'm legally allowed to distribute/modify it under the GPL. +
One of the CAPTCHA easter eggs was ported from the phpBB Advanced Visual Confirmation Mod. The strange thing here is this: The installation instructions expressly state that the MOD is distributed under the GPL, but immediately afterwards it says that the MOD "can be freely used, but not distributed, without permission." Sorry buddy, but I'm with the FSF on this one, I'm legally allowed to distribute/modify it under the GPL.
The e-mail address encryption routine was originally written by Jim Tucek, and ported to PHP by Dan Fuhry. Jim allowed the code to be released under the GPL specifically for Enano.
Tigra Tree Menu - a modified version that remembers the state of the tree. The license terms are stated here. After contacting the author, I was given permission to use the Tigra Tree Menu code as if it were under the GNU GPL. Therefore, you may use this code unde the terms of the GPL, however if you're making commercial use of it, the Softcomplex guys would appreciate if (but not require that) you would contact them first.

GNU Lesser General Public License

@@ -122,7 +123,6 @@

Slide-in-slide-out, ala Digg - used for the collapsible sidebar headings in the Oxygen theme. The original author says the code may be used "for whatever you want."
Graph Generator for PHP - only used when the GD-based graph generator won't work (e.g. no GD support)
Tigra Tree Menu - a modified version that remembers the state of the tree. The license terms are stated here. I believe that these terms are GPL-compatible, at least to a point where the code can be used in GPL-licensed programs. If you believe this is not the case then please contact me.

valid xhtml and css | design by dan fuhry and manoj maddali

diff -r ce6053bb48d8 -r ad5986a53197 licenses/tigra-menu.html --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/licenses/tigra-menu.html Sat Jun 23 09:55:58 2007 -0400 @@ -0,0 +1,6 @@ + +817108 +

Conversation with 817108

+(06:59:52 PM) Dan: is this the ICQ support for the Softcomplex/Tigra products?
(07:00:42 PM) Dan: i would like to know about the licensing terms for the Tigra Tree Menu
(07:01:12 PM) 817108: sure
(07:01:52 PM) Dan: according to the license terms, I should be allowed to modify the code, and then distribute it in my own free software, correct?
(07:02:23 PM) Dan: full credit is given in the source code, as shown in: http://nighthawk.enanocms.org/includes/clientside/static/admin-menu.js
(07:02:23 PM) 817108: yep
(07:02:41 PM) Dan: are you familiar with the GNU General Public License at all?
(07:03:10 PM) 817108: yep, but I'm not a legal type
(07:03:35 PM) 817108: If you prefer GNU, then consider it GNU
(07:04:59 PM) Dan: wow, thanks =)
the problem is that just saying that would probably get me into trouble if someone asked about the license info, because the GPL may in some circumstances go against your licensing terms
(07:05:21 PM) Dan: the license condition that concerns me is: The above items CAN NOT be modified and then sold as a library component, either individually or together.
(07:06:07 PM) 817108: this means that you can't sell it as own modified tree
(07:06:18 PM) 817108: if it's the part of larger system then no problem
(07:06:24 PM) Dan: the GNU General Public License says that you are explicitly allowed to use the code commercially (i.e. charge for it) but you must ensure that any publicly distributed version is also available under the terms of the GPL, and that all recipients are allowed to freely distribute their copies
(07:07:14 PM) Dan: it also means that someone can take my modified version, modify it further, and then charge for copies of it
(07:07:17 PM) 817108: can't be sold deal is just to prevent from creating the competing free or commercial product based on our script
(07:07:49 PM) Dan: ahh, i see, so that means that i may treat the code as if it were GPL?
(07:07:55 PM) 817108: I understand that your product is not competing with the javascript tree
(07:08:28 PM) Dan: ok, thank you very much for your help, i will update the license block in that file accordingly
(07:14:34 PM) Dan: just as a side note, you may want to mention that if the free products are used as a part of a larger project that they can be under Free Software licenses, to save yourself from undue annoyances from guys like me ;-)
(07:15:14 PM) 817108: luckily very few give a damn about the legal writing ;)
(07:17:45 PM) Dan: haha
is it ok with you if i include an HTML copy of this conversation in the licenses folder in the Enano distribution, as proof of the license conditions?
(07:18:13 PM) 817108: ;) that's pretty loose language
(07:18:51 PM) Dan: well if Enano ever gets in some sort of legal issue, the first thing my lawyer will ask me is, did you document all license info on third party code
(07:19:31 PM) 817108: ok, then as long a lawyers don't get too much work + + diff -r ce6053bb48d8 -r ad5986a53197 plugins/SpecialAdmin.php --- a/plugins/SpecialAdmin.php Fri Jun 22 18:42:26 2007 -0400 +++ b/plugins/SpecialAdmin.php Sat Jun 23 09:55:58 2007 -0400 @@ -116,7 +116,7 @@ echo ''; switch($r['action']) { case "admin_auth_good": echo 'Successful elevated authentication'; if ( !empty($r['page_text']) ) { $level = $session->userlevel_to_string( intval($r['page_text']) ); echo "
Authentication level: $level"; } break; - case "admin_auth_bad": echo 'Failed administration logon'; break; + case "admin_auth_bad": echo 'Failed elevated authentication'; if ( !empty($r['page_text']) ) { $level = $session->userlevel_to_string( intval($r['page_text']) ); echo "
Attempted auth level: $level"; } break; case "activ_good": echo 'Successful account activation'; break; case "auth_good": echo 'Successful regular user logon'; break; case "activ_bad": echo 'Failed account activation'; break;