Discuss Version 0.60 DevTrack

You are viewing Revision 17 of Discuss_Version_0.60_DevTrack

This page is registered as a special page, however you are viewing a previous revision of the page. As such, the special page function will not be triggered.

Taint mode (-T) is turned on, however not all shell expansions are untainted. This will generate errors in some installations (apparently not in my dev environment though... weird).

Here are the lines that include shell expansion:

654:    $line =~ s#\`{1}(.*?)\`{1}#<tt>$1</tt>#g;
741:    '`<tt>teletype</tt>`</dd>'.
1400:    $diff = `diff $TempDir/old $TempDir/new`;
1516:  my $diff = `diff $TempDir/old $TempDir/new`;
1645:  print $q->p("perl: ".`perl -v`);
1646:  print $q->p("diff: ".`diff --version`);
1647:  print $q->p("grep: ".`grep --version`);
1648:  print $q->p("awk: ".`awk --version`);
2289:  chomp(my @files = `grep -Prl '$Param{'search'}' $PageDir`);
2990:  my $diff = `diff $TempDir/old $TempDir/new`;
3179:  chomp(my @counts = split(/\n/,`grep ^$UserIP $VisitorLog | awk '\$2>$spts'`));

For sure lines 1400, 1516, 2289, 2990, and 3179 should be examined closely.

-- AaronGraves Thu Jun 23 03:57:33 UTC 2016 (107.167.108.182)

Lines 1400, 1516, 2289, and 2990 have been untainted. 3179 (now 3194) remains.

-- AaronGraves Thu Jun 23 04:21:45 UTC 2016 (107.167.108.182)

Some untainting methods: http://www.perlmonks.org/?node_id=516577

-- AaronGraves Thu Jun 23 16:10:23 UTC 2016 (107.167.108.182)

In DoSearch, line 2394:

open my($FILES), "grep -Erli '($search|$altsearch)' $PageDir 2>/dev/null |";

This needs to be untainted too.

-- AaronGraves Thu Jun 23 17:15:55 UTC 2016 (107.167.108.182)

In addition to the above, this will have to be corrected in ListAllFiles, ListAllTemplates, and ListDeletedPages.

-- AaronGraves Thu Jun 23 17:33:21 UTC 2016 (107.167.108.182)

For untainting, see https://github.com/ajgraves/aneuch/issues/32

-- AaronGraves Fri Jun 24 04:23:51 UTC 2016 (107.167.108.182)

For 3179 I would suggest something like this for line 253:

$UserIP = $q->remote_addr; #$ENV{'REMOTE_ADDR'};
        if ($UserIP =~ /^([0-9.]+)$/) {
                $UserIP=$1;
        } else {
                $UserIP='000.000.000.000'; # Redirect to an error page instead?
        }

-- Russ Sun Jun 26 19:21:16 UTC 2016 (24.113.55.207)

Thanks Russ, actually what I used was:

my ($UIP) = ($UserIP =~ /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/g);   # nnn.nnn.nnn.nnn

-- AaronGraves Tue Jun 28 01:33:48 UTC 2016 (107.167.108.182)

Untainting should be completed.

-- AaronGraves Tue Jun 28 19:50:40 UTC 2016 (107.167.116.86)

I re-downloaded aneuch.pl today and think I found two more:

  • 2869: unlink $file; (DoMaintPurgeTemp)
  • 1384: if(! -d "$PageDir/$archive") { mkdir "$PageDir/$archive"; } (WritePage)

-- Russ Mon Jul 4 03:46:58 UTC 2016 (24.113.55.207)

Thanks Russ, I did miss a few places. I'll go through again and make sure they are all mopped up.

-- AaronGraves Mon Jul 4 14:21:16 UTC 2016 (174.71.115.113)

Nice bootstrap tutorial

-- AaronGraves Tue Jul 12 13:54:11 UTC 2016 (174.71.115.113)

Update on bootstrap: The framework has been implemented. The administration screen has been updated to use the framework as well. The site is completely mobile friendly (including the admin screen). Small tweaks are likely to continue up until release.

-- AaronGraves Thu Jul 14 17:55:36 UTC 2016 (174.71.115.113)

I've also written a sitemap plugin. Debating including the functionality into Aneuch itself.

-- AaronGraves Thu Jul 14 17:56:24 UTC 2016 (174.71.115.113)

Images now have the class 'img-responsive' so they are actually, you know, responsive.

-- AaronGraves Sat Jul 23 16:42:43 UTC 2016 (216.105.250.127)

I should add UTF8 encoding for saving/reading files as well in this version.

-- AaronGraves Sun Jul 16 16:39:14 UTC 2017 (216.105.250.127)