Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#85 2011-04-07 21:33:08

funtoosh
Member
From: Münster, Germany
Registered: 2006-10-09
Posts: 153
Website

Re: Feedback for the Textpattern 4.4.0 release

updates went smoothly for me so far, so thx for that!
i do have a question about the new htaccess in /files though:

# Inhibit directory listing
Options -Indexes

mhm, i use +Indexes and fancy indexing sometimes in /files … shouldn’t i?
but the second directive is much more difficult:

# Inhibit direct file downloads
RedirectMatch 403 .*

i use direct links to files on a regular basis. there is no other way sometimes, e.g. when you want to stream MP3s or video. in which circumstances might i end up with a vulnerable site?

cheers, -f

Offline

#86 2011-04-07 21:48:55

johnstephens
Plugin Author
From: Woodbridge, VA
Registered: 2008-06-01
Posts: 999
Website

Re: Feedback for the Textpattern 4.4.0 release

funtoosh wrote:

i use direct links to files on a regular basis. there is no other way sometimes, e.g. when you want to stream MP3s or video. in which circumstances might i end up with a vulnerable site?

I think that’s why Robert renamed the .htaccess file to .htaccess-dist, so that it wouldn’t break sites that depend on direct download links. [Based on this thread and the versioning check-in comments]

I’ve run podcast sites pretty well using only Textpattern’s download links and link tags, so blocking direct downloads is no problem for me.

Offline

#87 2011-04-07 22:07:11

funtoosh
Member
From: Münster, Germany
Registered: 2006-10-09
Posts: 153
Website

Re: Feedback for the Textpattern 4.4.0 release

john, thx for pointing me in the right drection, hadn’t seen that thread. will go to sleep untroubled now ;-}

Offline

#88 2011-04-08 04:06:23

wet
Developer Emeritus
From: Schoerfling, Austria
Registered: 2005-06-06
Posts: 3,323
Website Mastodon

Re: Feedback for the Textpattern 4.4.0 release

merz1 wrote:

No big deal but why did the preview url change?

The old preview method had security implications.

Offline

#89 2011-04-08 10:59:48

merz1
Member
From: Hamburg
Registered: 2006-05-04
Posts: 994
Website

Re: Feedback for the Textpattern 4.4.0 release

Thanks Robert, only one minor point which comes to my mind:

Bloke Stef, as the new preview URL still shows the article ID … Are those security implications maybe still valid for your short url plug-in?


Get all online mentions of Textpattern via OPML subscription: TXP Info Sources: Textpattern RSS feeds as dynamic OPML

Offline

#90 2011-04-08 13:39:49

johnstephens
Plugin Author
From: Woodbridge, VA
Registered: 2008-06-01
Posts: 999
Website

Re: Feedback for the Textpattern 4.4.0 release

gomedia wrote:

Is there any advice on whether we need to do anything with the newly added (but commented-out) line in .htaccess:

#ErrorDocument 403 default

johnstephens wrote:

I’ve upgraded a bunch of sites without uncommenting this line. What is it that this does, exactly?

Aha! Apologies for polluting this thread with a question Google was able to resolve. I found the answer here.

Offline

#91 2011-04-10 11:57:49

ax
Plugin Author
From: Germany
Registered: 2009-08-19
Posts: 165

Re: Feedback for the Textpattern 4.4.0 release

Offline

#92 2011-04-10 19:13:29

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: Feedback for the Textpattern 4.4.0 release

merz1 wrote:

Are those security implications maybe still valid for your short url plug-in?

Not as far as I can tell. You can’t short URL to a non-live (or non-sticky) article. Unless I’ve missed something?

Last edited by Bloke (2011-04-10 19:14:04)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Online

#93 2011-04-11 23:09:38

jstubbs
Moderator
From: Hong Kong
Registered: 2004-12-13
Posts: 2,395
Website

Re: Feedback for the Textpattern 4.4.0 release

I am getting a Fatal error: Call to undefined function strftime() error on a 4.0.4 TXP install suddenly. Any ideas where this is called and why the error might appear?

Also get Fatal error: Call to undefined function strftime() on the Users tab while the Prefs tab does not display anything underneath the DST enabled setting. Nothing changed on the web host side (apparently) so trying to track this down.

Offline

#94 2011-04-12 10:36:00

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Feedback for the Textpattern 4.4.0 release

4.0.4 or 4.4.0? Please post full diagnostics.

Offline

#95 2011-04-12 10:48:03

jstubbs
Moderator
From: Hong Kong
Registered: 2004-12-13
Posts: 2,395
Website

Re: Feedback for the Textpattern 4.4.0 release

Hi Ruud, yes sorry it was 4.4.0. The site is live and not operational by myself, I am just helping out. The owner says they didn’t do anything and the web host says the same, but suddenly the site is down with that error message.

I can’t see diagnostics – only Fatal error: Call to undefined function gmstrftime() in /home/site/public_html/textpattern/include/txp_diag.php on line 480. To be exact, the pre-flight check works and returns:

The following PHP functions (which may be necessary to run Textpattern) are disabled on your server: proc_close, proc_get_status, proc_terminate, myshellexec, shell, system_exec, posix_getpwuid, posix_getgrgid, posix_kill, ssh2_exec, pcntl_exec, ini_restore

Then the error message above and nothing else. Prefs tab returns data up to DST enabled? and nothing more.

Front page of the site returns the error Fatal error: Call to undefined function strftime() in /home/site/public_html/textpattern/lib/txplib_misc.php on line 1375

Not seen this before. Tried replacing the PHP files noted but that did not work.

Offline

#96 2011-04-12 12:11:58

ruud
Developer Emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: Feedback for the Textpattern 4.4.0 release

Upload a file called test.php with these contents:

<?php
setlocale(LC_TIME, 'en_US');
echo strftime("%b %d %Y %H:%M:%S", mktime(20, 0, 0, 12, 31, 98)) . "\n";
echo gmstrftime("%b %d %Y %H:%M:%S", mktime(20, 0, 0, 12, 31, 98)) . "\n";
?>

If that doesn’t show 2 dates, you contact the webhost.

Offline

Board footer

Powered by FluxBB