Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 31 2019 21:29

    nitriques on 3.0.x

    Redirect loggued in users to AP… Add documentation about unambig… Allow numeric values in schema … (compare)

  • Jan 29 2019 19:40
    timokleemann commented #2861
  • Jan 28 2019 10:50
    animaux commented #2574
  • Jan 25 2019 18:25
    nitriques commented #2865
  • Jan 25 2019 18:23
    wdebusschere closed #2865
  • Jan 25 2019 18:23
    wdebusschere commented #2865
  • Jan 25 2019 18:09
    nitriques commented #2865
  • Jan 25 2019 18:09
    nitriques commented #2865
  • Jan 25 2019 18:07

    nitriques on 3.0.x

    Avoid double insert (write) exe… (compare)

  • Jan 25 2019 18:07
    nitriques closed #2882
  • Jan 25 2019 18:06
    nitriques milestoned #2882
  • Jan 25 2019 18:06
    nitriques labeled #2882
  • Jan 25 2019 18:06
    nitriques assigned #2882
  • Jan 25 2019 18:06
    nitriques review_requested #2882
  • Jan 24 2019 22:06
    wdebusschere commented #2865
  • Jan 24 2019 21:58
    wdebusschere commented #2865
  • Jan 24 2019 21:10
    nitriques commented #2865
  • Jan 24 2019 20:33
    wdebusschere commented #2865
  • Jan 24 2019 20:33
    wdebusschere commented #2865
  • Jan 24 2019 17:57
    nitriques commented #2865
Alexander Rutz
@animaux
Just checked with PHP errors, and it’s the same. php_value display_errors off doesn’t seem to have an effect. Normally the customers reported errors pretty fast so we were able to fix stuff :), but this really is a serious problem.
Sadie
@Sadie
I know, I was horrified to see all those file paths when I received the link to the site with the question, can you fix this?
Alexander Rutz
@animaux
@jonmifsud once sent me a set of special backend templates (not XSLT) that can be used to modify stuff like this, but I never used them. There should be some switch for these messages, and I’m really surprised if there isn’t.
Sadie
@Sadie

Me too, thought I must be missing it.

Thing is, I THINK (it's been DAYS ago) when I first upgraded to 2.7.10 that I got a blank white page, with no detail. On the old forum I found a post where @brendo suggested adding "ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(-1);"

to index.php so you could see the error. So I did add it and could see the details., but removed it after I fixed the error. Now it seems I can't go back.

Alexander Rutz
@animaux
I think the »blank white page« is some error that’s not even making it to the error page, or prevents it from even turning up.
Symphony Fatal Fatal Fatal Error
Sadie
@Sadie
Makes sense, I can't remember what the error was now. That was a really old post, 2014 I think, so maybe that was in the era of Symphony 2.2 you mentioned earlier.
Alexander Rutz
@animaux
I think there’s some discussion here: symphonycms/symphonycms#2509 but it’s way over my skills … and development of symphony has virtually stopped with 2.7.10/3.0.0, so no idea where else to look at the moment.
Alexander Rutz
@animaux
Looks like it boils down to that PR, that was not pulled. If I understand correctly, Nicolas redid the changes for 3.0.0, at least in my 2.7.10 version these lines do not exist: https://github.com/DeuxHuitHuit/symphonycms/blob/f783d41aab2e3d0edad6371305cc6e7b25a09632/symphony/lib/boot/bundle.php#L24-L26
Just tried adding those. The error pages gets smaller, but still reveals all the paths …
Sadie
@Sadie
@animaux That discussion is out of my league, too. OK, that which is added to 3.0.0 might be something to follow up on. Thanks for looking! I have to leave for a virtual meeting, will be away for a couple of hours. I'll keep you posted on anything I find.
Alexander Rutz
@animaux
3.0.0 breaks a lot of other stuff unfortunately. Will go to bed, it’s late in germany ;). Will also let you know it I get wiser. Maybe someone else can chime in.
There are 52 changed files in that PR … argh.
Alexander Rutz
@animaux
A nasty way of preventing error messages is to comment out the content of the render($e) {} function in /symphony/lib/core/class.errorhandler.php, starting on line 201. This renders a white page on error.
Only works for PHP-errors though …
Sadie
@Sadie
@animaux you mentioned @jonmifsud which was a name I'd run across in Google search results, but his site no longer exists. Thanks to the Wayback Machine I found the Jon Mifsud post that discusses custom error pages. I haven't tried to do this yet; it's been a long day. I'll be back on it tomorrow.
Juraj Kapsz
@jurajkapsz

Heh, wrote this in the wrong chatroom (Symphony Help), so just for record here again:

Guys, count me in when we should have a joint call of Symphony CMS community, I think such idea was mentioned recently. I should be available from april and onwards.

Alexander Rutz
@animaux
I have just finished a major new version of the maplocationfield that gets rid of all Google Maps and Geocoding and uses Openstreetmap/Nominatim instead. It can be used as a drop-in replacement for the former version. Only limitation is that location names in stored fields and datasource filters are not supported any more, only latlng. I’m happy if anyone is interested in testing: https://github.com/animaux/maplocationfield
Alexander Rutz
@animaux
@jurajkapsz The main problem with »a joint call of Symphony CMS community« is that it would need coordination. Don’t know if @nitriques can be around? In my opinion the three most important things would be:
  1. commit critical bugfixes for 2.7.x (is LTS even an issue any more?) in the main repo
  2. commit critical bugfixes for 3.x in the main repo
  3. PHP8 fixes for 2.7.x and 3.x while retaining backwards compatibility with PHP7?
  4. include (more) active members as admins for the github symphonists account in order to check/approve PRs
Is anyone working productively with 3.x? I have not been able to use it at all.
Juraj Kapsz
@jurajkapsz
@animaux yes, if there should be a call, we could put together points we want to talk over. My points are similar if not the same. As of 3.x, I did not tried it yet, it's next on my todo list, I should get to it in about a month or so.
Juraj Kapsz
@jurajkapsz

I have just finished a major new version of the maplocationfield that gets rid of all Google Maps and Geocoding and uses Openstreetmap/Nominatim instead. It can be used as a drop-in replacement for the former version. Only limitation is that location names in stored fields and datasource filters are not supported any more, only latlng. I’m happy if anyone is interested in testing: https://github.com/animaux/maplocationfield

@animaux nice, actually my current project uses maps services (Google), and I was also looking at this extension for backend use but went without it, though the extension was working fine. Anyway, the idea of Openstreetmap/Nominatim is very interesting.

Alexander Rutz
@animaux
@jurajkapsz I’m happy if it’s useful!
Nimantha Harshana Perera
@nimanthaharshana

Hi Everyone,

Hope all of you guys doing well. We are trying to secure our very few Symphony apps until they are migrated to new platform and we ran some security tests against those recently and found that if someone gets into the backend somehow they of course can take control over the server via following steps.

1) Create a new section with a file upload input without any restrictions
2) Upload an htaccess file by letting it run phpcode via a different extension
3) Run malicious php code and gain control over important assets on the server (Possibly the whole server via other possible attacks)

For the above particular issue we got an advice from the security team so that there should be a global file extensions whitelist (Not a blacklist) so that it's not possible to upload files such as .htaccess, .sh, .js etc... Restricting certain file extensions to the file upload input (in a specific section) is not an option here as we are talking about someone who already got into the backend. So only way to avoid this is to have a global level file extension whitelist so uploading any files other than in the whitelist is prohibited. We couldn't find a way to do this in the Apache config level and we think the only possibility would be to have a global level extension that will be in effect on file upload inputs.

Please can you guys share your thoughts on this ? WE STRONGLY BELIEVE THIS RISK COULD BE THERE FOR ALMOST ALL THE SYMPHONY SITES.

PLEASE NOTE THAT WE ARE NOT ALLOWED TO SHARE MORE INFORMATION OTHER THAN THE ABOVE STEPS.

Wannes Debusschere
@wdebusschere
Screenshot 2021-03-08 at 13.55.41.jpg
Screenshot 2021-03-08 at 13.55.54.jpg
i tried to upload a test.php
Alexander Rutz
@animaux

if someone gets into the backend somehow

Hmm. It would have to be a dev-account this someone would need to have access to. With a compromised dev-account I can imagine all kinds of other bad things possible …

Can verify .php upload is blocked.
Bildschirmfoto 2021-03-09 um 11.11.54.png
Alexander Rutz
@animaux
I also tried a php file with no file-extension, that got blocked too.
cylkee
@cylkee
@nimanthaharshana Versions tested?
Alexander Rutz
@animaux
Also, at least in MacOS I am not able to upload an .htaccess file.
Apparently files with NO extension are always blocked.
cylkee
@cylkee
On Windows I can upload a .htaccess
Brian Zerangue
@bzerangue
@animaux - on Mac, in the Finder, Hold down Cmd + Shift + . (dot) ... that way you can upload .htaccess files. Unless it is some server related blocking specific file types with the host (which makes sense).
Alexander Rutz
@animaux
@bzerangue great, thanks!
Phill
@pixelninja
Oh snap, I was about to jump on here and say where is everyone?! But it's been busy! I haven't been getting any notifications... weird :shrug: how is everyone's 2021 going??
Juraj Kapsz
@jurajkapsz

Oh snap, I was about to jump on here and say where is everyone?! But it's been busy! I haven't been getting any notifications... weird :shrug: how is everyone's 2021 going??

hey @pixelninja quite busy, how about you?

Alexander Rutz
@animaux

hey @pixelninja quite busy, how about you?

Same here!

ali77baran
@ali77baran
hi
I want to use symphony
but need to some extention or some develope
for example login with mobile authenticate or change registration form
Phill
@pixelninja
@jurajkapsz @animaux absolutely flat out, can't catch a break!
@ali77baran not sure what you mean sorry
Alexander Rutz
@animaux
@pixelninja Have considered coming to NZ to apply at your place ;) but then we don’t want to uproot our kids.
Moritz Profitlich
@mprofitl

@animaux Are still interested in thoughts on implementing a double-opt-in? I just did it in two projects.

– The section ‹recipients› stores all addresses. It has a hash-id field.
– A person registers -> the entry is saved to the section ‹recipients›. The Event ‹opt-in› is fired.
– The event ‹opt-in› sends a mail to the recipient with a link to a page with the parameter ?email=MAILADDRESS&hash=HASHID&action=opt-in (my idea is to allow changes to the subscription by using other action parameters)
– The double-opt-in page filters the recipients section by mail address and hashid. An event ‹double-opt-in› is attached to the page. A hidden form resaves the entry via Ajax and sets a a field ‹double-opt-in› to true (checkbox)
—The page then displays a confirmation

Two things I would like to improve:

  1. Get rid of the Ajax workaround by firing the double-opt-in event already when opening the page (is that possible?)
  2. Never show the entry ID publicly (which would already be the case when solving (1)). I tried using this obfuscation trick but it seemd to be incompatible with the current Symphony or PHP version.

I’d be delighted to learn about your solution.

Alexander Rutz
@animaux
@mprofitl thanks! My untested idea of implementation is quite similar, I think.

Get rid of the Ajax workaround by firing the double-opt-in event already when opening the page (is that possible?)

You can trigger the event on page load: https://www.getsymphony.com/discuss/thread/69596/

Also you could filter the entry with the e-mail by filtering by hash and not internal id.
So when that particular URL is requested it will run the event and activates the entry thus.