Joe Rosa ::   Blog | Network | | Aggregator | Profile | Page

#355: Tag Cloud in random order

The site tag cloud ought to be displayed in alphabetical order instead of random order.

#394: community owner cannot change membership restriction

I am using Elgg 0.92 SVN revision 1617. Basically, a community owner needs to be able to change membership restriction to moderate or private. In the 0.92 /1617 release this does not work -- any change in membership restriction does not 'stick'. I know that this has functioned prior to this release because some of the communities are set to moderate which was performed on an earlier version.

I have trawled through the discussion forums and the Tracker site but have found no mention of this issue.

I have labeled this high priority because it's a potential show stopper for using communities on my site Earlham Learning Spaces https://els.earlham.edu

#393: Vanilla Forum Integration only works when "remember me" is ticked on login...

We have noticed in both ELGG 0.9.1 and ELGG 0.9.2, that if you do not tick the "remember me" box, Vanilla forum will only display public forums, and will not provide the option to start a new discussion.

There was a similar problem with ELGG itself that was resolved in 0.9.2:

http://classic.elgg.org/trac/ticket/322

I was hoping someone had a similar patch for the Vanilla Forum plugin.

#392: Comment wall allows spam in

Setting commentwall to "private" or "logged in users only" still allows spam to get in.

mod/commentwall/do_action.php mod/commentwall/lib.php::commentwall_addcomment()

all ignore permissions. Can you give me a pointer on how to get hold of permissions for a plugin and I'll fix it?

#391: XSS in File Upload

A user can upload an HTML file containing JavaScript. When another user downloads the file, the script is run as if the script comes from the same domain, an XSS vulnerability.

Patch included simply sets content disposition to attachment for all files that are not images instead of just files with application/octet-stream MIME types, as done in Elgg 1.0.

#390: Prevent uploading files with dot prefix (e.g.: .htaccess)

By default, elgg 0.9.x ships data directory within root directory accessbile by web, mailicious users can upload a .htaccess file and disable rewrite engine in his files (data/files/u/username/)

#389: TAGs lost when admin edits others blogs

When the administrator edits others Blogs the TAGs are not retrieved as it uses sessionid, but a simple identification of the $page_owner tells display_input_field to use that as the $page_owner.

Patch attached

#388: User can manipulate populartags -

In 'populartags' code selects TAGs using the 'ident' field that is a sequential code generated each time we 'add' or 'edit' a Blog post. However editing an old blog post it generates a new 'ident' without changing its position in the cue for the MySql? query that uses the record ID, and consequently brings it that TAG to the latest blogs.

This allows an user to manipulate the TAG cloud pointing to his/her personal blogs. (We had that case - people are creative)

Changing the field 'ident' to 'ref' and using the clause MAX() in the MySQL query as well as the constraint tagtype='weblog' made an effective solution.

Patch attached

#387: Invitation and password reset code collision

Elgg currently uses a rather simple algorithm for calculating the invitation code used to identify a new user. It uses the first 8 characters of an MD5 hash of the name of a new user and the current time. This same algorithm is used when calculating a code for a password reset.

In a heavily used system, it is very possible with the current algorithm to have two emails sent out with the same code (had that happen to me twice in the past two days!). If error reporting is disabled (hide errors), this effectively has the result that a user clicking on the link is presented with the password reset or invitation of another user!

I have chosen a very straightforward approach to fix this. Before the new code is inserted in the invitation table, the table is checked to make sure the code is unique. If it is not, we sleep() for 1 second and generate a new code. This continues until a unique code is found. This is still not 100% proof (we would need table write locking for that), but it's a lot better.

#386: Double message board messages

Before i added message i saw one message. After i added message into message board i see double old messages. After i refresh page all work ok

Presentation slides, audio and videos now available to download

Presentations and audio recordings from the Forum are now available to download from each of the session pages and also from the Forum programme page.

Some comments from the Feedback survey have also been posted on the Feedback page along with some short video clips of delegates to download.

We have also added video clips to the Projects Attending page where you can get a short description of the projects from people involved in them.

#385: CSRF for Blogs (Personal and Community)

There is a cross site request forgery vulnerability on the blog, both for users' personal blogs and for a community's blog.

Again, this ticket applies to Elgg 0.9.2, but I cannot pick 0.9.2 from the drop-down. Patch is included.

Note that for some reason, $page_owner is set to the user logged in instead of the community's ID when a user submits an edited (but not a new) post. This itself should be a bug. So instead of using $page_owner, I simply use the result of a database access to obtain the desired value before the edited post is rejected.

#383: CSRF for commentwall

There is a Cross Site Request Forgery vulnerability against the CommentWall. While this may seem trivial, an attacker may take advantage of the CommentWall to figure out when another CSRF has taken place. An attacker can create an account on an Elgg social network. Then, when he is taking advantage of another CSRF vulnerability, he can also post on the CommentWall of his account as the victim. Then he can quietly delete the victim's post, leaving no trace.

The patch is included. I found this on Elgg 0.9.2, but this version is not in the drop-down.

#382: CSRF on Site Admin Page

Currently the site admin page has CSRF vulnerabilities. While pages_html_form is called to insert a hidden field form_key into the form and store the form_key inside the user session, elggform_key_check is not called to check the form_key submitted. An attacker can become an admin, deface the website, or steal logins / passwords of users, among other nasty stuff.

I found this on Elgg 0.9.2. Patch is included.

#381: CSRF on Account Settings page

There is a Cross Site Request Forgery vulnerability in the account setting page. This vulnerability can be used to take over a user's account! I found this in Elgg 0.9.2, but there's no option below to make the version 0.9.2. Please let me know if I should submit more details on how this can be done.

The patch uses elggform_key_get and elggform_key_check to prevent CSRF, functions that seem to have been designed to prevent CSRF in the first place. The patch essentially uses elggform_key_get to generate a key, which is inserted into a hidden input field in the form and also into the user's session. Then elggform_key_check is used to check the submitted key against the key in the session variable.

Note that this patch has not completely patched the user details page. It just protects against the most serious parts, like CSRF against passwords and e-mail. The problem is that the various php files in $functionuserdetails:init? array handles processing of options the plugins individually insert into user details page. There are two options I can think of:

1. Make every plugin writer check for the form_key or
2. Have a place where the form_key is checked before any plugin is called to process the input from user details page.

The second option sounds better, but I do not know how to do the later yet.

New feedback page created

A new page has been created to provide a link to the Feedback survey (please complete if you haven’t already done so) and as a place to add any general comments on the event that you wish to make publicly.

Over the next few days we will also be adding a number of short ‘talking head’ videos filmed at the event of people’s impressions and experiences.

View the feedback page

#380: My enhancement in utils/i18n.php

I add small enhancement in utils/i18n.php

I add code in function scan() before $result[]= array('file'=>$_file,'string'=>$_line);

          if ( strlen($_line)>1  )
          {
            // change first char ' to "
            if ($_line[0]="'")
              $_line[0] = '"';

            // change last char ' to "
            if ($_line[strlen($_line)-1]="'")
              $_line[strlen($_line)-1] = '"';

            // replace ' to '
            $_line=str_replace("'","'" ,$_line);


            // replace " to " in text but not first end last char "
            // 1) copy only text
            $_only_text=substr($_line,1, strlen($_line) -2);
            //
            $_only_text=str_replace('"','"' ,$_only_text);
            $_only_text=str_replace('"','"' ,$_only_text);

            $_line= $_line[0].$_only_text.    $_line[strlen($_line)-1];

          }
          $result[]= array('file'=>$_file,'string'=>$_line);

This code fix: -error when last and first char is ' -error when in string is ' -error when in string is char "

#379: error in utils/i18n.php

I found small error in utils/i18n.php

I generate new en_GB.po and test it.

php utils/i18n.php
msgfmt --statistics languages/en_GB/LC_MESSAGES/en_GB.po

msgfmt return error: languages/en_GB/LC_MESSAGES/en_GB.po:2348: end-of-line within string

line languages/en_GB/LC_MESSAGES/en_GB.po:2348

#: mod/admin/lib/admin_spam.php:7:
msgid "Add regular expressions below, one per line, to block spam. For example
msgstr ""

Error is in function scan()

In code is

$_matches = preg_split('/,s*"|,s*'/',$matches[1]);
$_line = $_matches[0];
$result[]= array('file'=>$_file,'string'=>$_line);

Why you used preg_split ??

A change code to

//$_matches = preg_split('/,s*"|,s*'/',$matches[1]);
$_line = $matches[1];
$result[]= array('file'=>$_file,'string'=>$_line);

And now works OK :)

Did you come home with something you shouldn’t have?

A number of people have asked what they should do with their room keys…

Please return them to

Keele Conferences
Darwin Building
Keele University
Keele
Staffordshire
ST5 5BG

#369: when searching from tag cloud, assumes unset variable (patch included)

So when you click on the tags link and get the cloud - you click on a tag and you lose part of the screen because the code doesn't check to see if a particular parameter has been set - and you won't see the "Matching Users and Communities" area. I changed the code to check, and the code works fine now.

Closing Plenary: Sarah Porter, Head of Innovation Group, JISC

Sarah Porter, Head of Innovation at JISC, brought the conference to a close with a round-up of some of the key issues from the last 2 days, and thanked delegates for a fascinating and invigorating conference.

There was just 15 minutes for the closing plenary, and so Sarah galloped through a dazzling summary of the conference, pointing out the incredible energy and level of engagement of delegates across a huge breadth and depth of subjects. (more…)

Forum: Web 2.0

This interactive Discussion Forum took place at 12.30 on Day 1 and was chaired by Lawrie Phipps. The main topics of discussion related to the potential disruptions that Web 2.0 technology can cause and the real positives they bring in and finished with a general call for ‘netiquette’ guidelines.

(more…)

Thanks for coming… but don’t stop talking!

A big ‘thankyou’ to everyone who attended the event for participating so enthusiastically and creating such a brilliant atmosphere; particularly those that gave so much time and thought to organising and presenting the sessions.

We hope you enjoyed the two days and found it useful - please visit the feedback survey at http://survey.jisc.ac.uk/jif08feedbacksurvey/ to let us know what you thought and how we might make future events even better.

As Sarah said in her closing session this blog will remain open as a discussion forum for the near future so please continue to use it to share ideas and comments with JISC and project colleagues.

Session 3: Understanding the audience: what are the lessons learnt from other sectors

Audio from the session

To downlod the MP3 click here

Chris Batt gave a relaxed and extremely informative presentation on why we should be understanding e-content audiences, how best to do so, and why it’s so critical to e-content sustainability.

Delegates raised several interesting points in the Q+A at the end of the presentation, including the difficulty of grouping individuals who have different needs at different times, and also the question of whether or not we are stifling innovation in our eagerness to give users what they say they need. (more…)

#378: search_suggest_user.php entanglement

Lets try to disentangle:

- Ticket #369 edfactor fixed a bug (warning) - Ticket #357 justinr made an enhancement before Changeset r1602 has been applied, so it didn't reflect the changes. - There are two typos in r1603 (justinr enhancement)

So this relates to Tickets #369, #357, and Changesets r1602, r1603, r1606

I'm attaching patch with edfactor changes, and the typo corrections - tested and works fine.