fibs in XOOPS Q&A (1)
from PEAK XOOPS Support&Experiment
(2006/5/27 17:43)
|
Q1: How to delete submenu items?A1: Edit xoops_version.phpIt's just a fib :-)xoops_version.php MUST be modified with updated modules.Who can hack xoops_version.php, again and again?First, you should finish using"Main Menu"from system module if you want to control menu items.You should learn"Main Menu"is one of the most heavy blocks because it crawls all xoops_version.php under active modules.
|
Don't use and trust core files
from PEAK XOOPS Support&Experiment
(2006/5/26 4:20)
|
If you are a module developper, You should not use or trust codes or files in XOOPS 2.0.x.- using XoopsMediaUploader--> import a file upload vulnerability into your module(Though this is just an old issue)- using XoopsObject (Criteria)--> import SQL Injections into your moduleThis is not only a problem of vulnerabiilties.- using XoopsErrorHandler--> All errors will"echo"or"silence". you can't use"log"at all.- using Ticket class from core--> Your module losts a compatibility with the other core (xoops.org cube.org)With xhld, I've made a mistake.- using Snoopy in the core--> xhld lost compatibility with some blog servers in 2.0.14-JP core.I have to release xhld with properly modified Snoopy.Then I'll make an original class to fetch feeds via HTTP.
|
Which function should be adopted in escaping string?
from PEAK XOOPS Support&Experiment
(2006/5/25 6:34)
|
This is a summary of discussion with ELF about escaping string for SQL.I recommmend addslashes()(A) performance(B) compatibility with environments of magic_quotes_gpc=on(C) reverse function exists(D) DB connection freeELF recommend *_escape_string()(1) clear the purpose(2) searchable by grep, replacable by sed, easily(3) can follow to change DB engine's specI think it stands to reason all of (1)(2)(3).
|
An influence of SA20176
from PEAK XOOPS Support&Experiment
(2006/5/24 12:16)
|
I'm surprised with a lot of attacks comes just after 22 May.82.53.119.185 CONTAMI Attempt to inject'xoopsOption'was found. Attempt to inject'xoopsConfig'was found. Injecting Null-byte'../../../../../../../../../../var/log/error_log'found.The 1st attack came from 166.111.249.39 and 87.6.115.177 on 2006/5/22 4:28.(This is just after the report)Someone attacks from 10 independent IPs.What a popular site is PEAK XOOPS! :-DAnd you should learn how quick is Script Kiddie's attacks.If you've installed Protector, check logs in Protect center.Else, install it right now :-)
|
Protector is ready for SA20176 :-)
from PEAK XOOPS Support&Experiment
(2006/5/23 3:18)
|
Secunia Advisory:http://secunia.com/advisories/20176/Don't worry about it if you've installed Protector.It is just a well-known attack, and Protector shuts out and logs it.(Both Null-byte and Injection will be reported if such an attack comes)If you don't/won't install Protector, check register_global is disabled, again.(Though I can't imagine public XOOPS sites without Protector :-D)You should know the worst vulnerability is not SA20176 itself but the setting of register_globals=on.
|
Privileges about altsys
from PEAK XOOPS Support&Experiment
(2006/5/22 4:44)
|
conventional myblocksadmin and mytplsadmin checks the privileges'system_admin'from system module.- myblocksadmin XOOPS_SYSTEM_BLOCK (System Admin rights -> Blocks)- mytplssadmin XOOPS_SYSTEM_TPLSET (System Admin rights -> Templates)But this harms independencies among each modules.Because'system module'will be just a normal module can be exchanged, in the near future of XoopsCube.And the privilege's constant like XOOPS_SYSTEM_* is defined only system module.'system module'is not a part of CORE of XOOPS.(At least, it is an important fact with XoopsCube)Thus, I've changed privileges of altsys from conventional myblocksadmin/mytplsadmin.altsys does not check'system_admin'at all, but'module_admin'of altsys itself.If you want to controll privileges of altsys library, check/uncheck of altsys's module_admin.An exception:mypreferences inside altsys checks module_admin of the targeted module.It sounds natural, does not it?
|
$xoopsOption['pagetype']
from PEAK XOOPS Support&Experiment
(2006/5/21 4:10)
|
Do you know $xoopsOption['pagetype'] ?I think this is a coccyx from Nuke.In XOOPS 2.0.x, root controllers uses it and include/common.php includes global language/(pagetype).phpThere are no utilization in XOOPS 2.0.xIn XoopsCube, it will be eliminated.But XOOPS 2.2 gives the place of honor to the variable in selecting theme./modules/(module)/index.php--> theme.html$xoopsOption['pagetype'] is null/modules/(module)/admin/index.php--> themeadmin.html$xoopsOption['pagetype'] is set in kernel/module.php automaticallyIf you want to make module of fully front controller, set $xoopsOption['pagetype']='admin', manually.This is a tip for creating multi-core module. :-)
|
a happy side effect of D3 module
from PEAK XOOPS Support&Experiment
(2006/5/20 3:30)
|
I've just found Duplicatable V3 (D3) module is quite friendly multi core version!Old Style module:/var/www/xoops2.2/modules/(module)/LOGICS (core from xoops.org)/var/www/xoops-jp/modules/(module)/LOGICS (core from xoopscube.jp)/var/www/oreteki/modules/(module)/LOGICS (core from marijuana.ddo.jp)Module developpers have to manage two directories.This makes two problems hard to solve.- .svn (or CVS)- conflict(symbolic link can't be usable for such a purpose)D3 module:/var/www/xoops2.2/modules/(module)/wrapper (core from xoops.org)/var/www/xoops-jp/modules/(module)/wrapper (core from xoopscube.jp)/var/www/oreteki/modules/(module)/wrapper (core from marijuana.ddo.jp)/var/xoops_trust_path/modules/LOGICSAll you have to do is editing files under XOOPS_TRUST_PATH.If you are a adminitrator of many sites in a server, you can enjoy the same merit.When a D3 module is updated, you have to overwrite files just under XOOPS_TRUST_PATH once, even if you have 10 or 100 sites in the server :-D
|
altsys released
from PEAK XOOPS Support&Experiment
(2006/5/19 17:08)
|
In XOOPS history, system module has been"hard to use"module, especially blocksadmin, groups, and tplsets.Thus I've released myblocksadmin, mymenu, and mytplsadmin.Today, I'm proud to release altsys module&library.The weaknesses of myblocksadmin,mytplsadmin etc:- each module instances have file instances. it makes the module hard to maintain.- imcompatible Duplicatable V3 or XOOPS_TRUST_PATH modules- it is not ready for the core like XoopsCube which can exchange system moduleI solved all of the problems with altsys.You can understand altsys like the formula:altsys = myblocksadmin + mytplsadmin + mymenu + alphaaltsys is both library and module like myblocksadmin/blocksadmin.But almost logics exists files under XOOPS_TRUST_PATH with altsys.This means there is no duplication of files.In Duplicatable V3 module, mymenu finds XOOPS_TRUST_PATH/libs/altsys and display menu items linking myblocksadmin or mytplsadmin automatically.Of course, WRAPS -the first D3 module- has such a feature.Then, I ...
|
redirect or die() :-)
from PEAK XOOPS Support&Experiment
(2006/5/18 18:14)
|
There are too many applications like XOOPS using redirection when error occurred.They should be relaced into die() without conditions after normal post transactions.If you write die() intead of redirection in error handling:- Users can read the error message thoroughly.- Users can return the previous page immediately.- You don't have to write codes for redirect.;-)
|