Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2012-02-24 18:52:42

geoff777
Plugin Author
From: Benarrabá Andalucía Spain
Registered: 2008-02-19
Posts: 282
Website

geo_vote

geo_votes

Poll – Ballot – Voting plugin

Features
Create votes/polls/ballots for your website.
Vote Info is added/edited on the Admin->Vote tab.
Presently up to 10 vote options can be set.
Ballot fraud check methods include a choice of cookie, ip, login. Cookie (default) reverts to IP if cookie can’t be set.
A closing date and time for your ballot can be set. Leave blank or set to ’00-00-00 00:00:00’ for a never ending vote.
Option to show results before voting closes or not. (Unless never-ending vote chosen)

Author / Credits
geoff777 – thanks to Stef Dawson (Bloke) for his amazing code which helped me to understand a little about the anatomy of a plugin. Thanks to to Jukka (Gocom) for making the plugin more secure.

Installation / Uninstallation
Requires Textpattern ? – it was written using 4.4.1 but may well work in earlier versions?

When you first visit the Extension->Vote page, the extra tables wil be installed automatically.

To uninstall, simply delete from the Admin -> Plugins page. But note the extra tables will remain until you delete them manually. At some future point it may clean up it’s own mess, think of the plugin as a teenage boy … just be thankful it gets out of bed and does anything at all.

Configuring Vote details
Visit the Extensions->Vote config tab. Add votes with a title at least two options plus an end date time. CSS classes can be added to make the plugin’s output fit in with your site.

How to Use
<txp:geo_votes vote_id="integer" />
That’s it! One tag with one attribute.
vote_id is generated by auto_increment when you add a new vote on the Extensions>Vote tab. Just put the vote_id in the tag and your vote will appear.

Example:- <txp:geo_votes vote_id="1" />
The tag can be used anywhere. In articles, article lists, sidebars, footers or headers.

Possible problems:- pagetop() error – you’ve probably used geo_vote instead of geo_votes. (I want the public tag to be geo_vote but an admin function uses geo_vote and when I change it the plugin rolls over and dies. If anyone can assist with this I’d like the public tag to have the same name as the plugin.)

The plugin doesn’t sort the results, this option will probably be added.
Thumbnails for image votes are in the pipeline too.
The plugin currently has a fixed number of vote options (10). I realise this should be more flexible but I wanted to get the plugin working, so I’ve written it knowing it has limitations that I will change in future releases.

CSS
Add your own CSS classes in the Extensions Vote tab. They are named to be fairly obvious. One class for the results bars is hard coded, You can now (0.1.4) change the colour.

Changelog
22 Feb 2012 | 0.1.3 | Initial (non-public) release
28 Feb 2012 | 0.1.4 | Fixed lots of security issues – thanks Gocom – Removed ‘none’ from Fraud methods. Now a fraud method must be used. If Cookie can’t be set IP is now stored. Now only one cookie is used and a hash value is stored. XHTML now validates. Ballot form post variables are now cast as integers. Changed dBase names. Added fields. Vote totals now stored instead of dynamically calculated. The ballot form now times out after 10 minutes and a hash is included that must validate. A new table has been added to hold the hash keys. This table is automatically ‘cleaned’ of old values. A new field means you can change the colour of the results bar graph.
Download link

{Edited to add the download link after uploading the plugin to TXP Resources. – Uli}

Last edited by geoff777 (2012-03-03 09:30:30)


There are 10 types of people in the world: those who understand binary, and those who don’t.

Offline

#2 2012-02-24 19:58:00

uli
Moderator
From: Cologne
Registered: 2006-08-15
Posts: 4,207

Re: geo_vote

Geoff, congrats for your first plugin!

I’ll have a look at your wonder tool this weekend. I’m curious what the Vote page offers. Sounds great!

Oh, BTW, I uploaded the plugin to TXPResources in order to save us some scrolling here.

Last edited by uli (2012-02-24 20:00:36)


In bad weather I never leave home without wet_plugout, smd_where_used and adi_form_links

Offline

#3 2012-02-24 20:08:23

geoff777
Plugin Author
From: Benarrabá Andalucía Spain
Registered: 2008-02-19
Posts: 282
Website

Re: geo_vote

Wonder tool or big poll?
Anything for the weekend Sir?

Thanks Uli.

It might help with a little user interactivity …


There are 10 types of people in the world: those who understand binary, and those who don’t.

Offline

#4 2012-02-24 21:45:47

Gocom
Plugin Author
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: geo_vote

Nice. Took look at the code, well, it has some issues, including security vulnerabilities.

Security-wise:

  • All but two SQL query can be injected. Remember to escape user-given values in queries with doSlash().
  • ip_login isn’t implemented, is it? When you do get it implemented you may want to save what is stored in the ip_login (ip, cookie etc), so that for instance, two forms can be offered for single poll. One for registered users and one for public user with cookie detection. In such case, if you don’t know what is saved, there may be collisions.
  • Database table pollution is possible. An attacker can insert as many rows to the voting table as possible. If your server can take 4000 request a second, the table has 14400000 rows after an hour.
  • Voting forms can be sent from offsite. Would need nonce or cookie validation to prevent that.
  • $geo_vote_option should be casted as integer to avoid issues.
  • Textpattern offers tools for preventing admin-side CSRF attacks. You may want to use those, e.g. bouncer() instead of that old method you are using.

Code/issue-wise:

  • $geo_vote_form_id = 0; and similar default definitions will not do anything. The following extract() will overwrite the value.
  • As of TXP 4.3.0, plugins have had the ability to use textpacks to handle translations and localization. Un/installing can be automated with plugin lifecycle callbacks.
  • On the public side the title isn’t escaped from HTML, and on the backend using any HTML specialcharacters in the options breaks the panel. Should be escaped with htmlspecialchars().
  • end_date_time columns default value should be either 0000-00-00 00:00:00 or NULL. That type of default value isn’t allowed by MySQL. Empty dates are saved as 0000-00-00 00:00:00 (with current versions of MySQL).
  • As the cookie detection (vote tracking) goes, you will have to store unique value (hash) in a cookie. And then store that hash in the voting rows. A domain can not set unlimited number of cookies. The voting should only use single cookie instead of creating a new cookie for every voting form. Otherwise the browser will only remember ten latest votes or so.

Feature-wise:

  • Would be super cool if there wasn’t limitation with the number of voting options. Ideally the options would be stored in their own database table and handled with sub-queries/joins.
  • Also would be cool if the public tags didn’t generate a block of code, but were customizable. Currently it generates invalid XHTML on XHTML document too.

Last edited by Gocom (2012-02-24 21:54:25)

Offline

#5 2012-02-24 23:25:19

geoff777
Plugin Author
From: Benarrabá Andalucía Spain
Registered: 2008-02-19
Posts: 282
Website

Re: geo_vote

There aren’t any user-given values?

Just radio buttons and a submit button.

If you are talking about the inputs on the extension tab – you have to have admiv privs to get that far …

Not sure about your comment about ip_login?
The users ip is stored in the db if that method is chosen, or a cookie is set or the user name stored in the db if it’s members only.

I’ll try my best to sort this out over the weekend.

If you’d like to explain to the public in a bit more detail how they can launch an attack through this plugin that would be really cool

1st and last … it just ain’t no fun.


There are 10 types of people in the world: those who understand binary, and those who don’t.

Offline

#6 2012-02-25 00:15:07

Gocom
Plugin Author
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: geo_vote

geoff777 wrote:

There aren’t any user-given values? […] radio buttons

HTTP POST comes directly from user. So yes, there is. I.e. the given option can be anything, like for instance a sub-query that deletes all content from the server.

Last edited by Gocom (2012-02-25 00:18:36)

Offline

#7 2012-02-25 01:23:40

Gocom
Plugin Author
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: geo_vote

geoff777 wrote:

Not sure about your comment about ip_login?
The users ip is stored in the db if that method is chosen, or a cookie is set or the user name stored in the db if it’s members only.

The cookie option needs some refactoring. What you will have to do, is to create a cookie (only a one) for every user that votes, containing a random hash. A single domain can only create so many cookies (not unlimited number). geo_vote ideally would ever create only a one cookie in total per voter — across all polls. That hash would then be stored in the ip_login table.

As that was not how it works in geo_vote, i thought it was totally unimplemented feature.

If you’d like to explain to the public in a bit more detail how they can launch an attack through this plugin that would be really cool

That the plugin saves anything to the database one gives it if none or cookie is used as protection method? Eh well, preventing that is pain in the butt. I would start by adding waiting time (sleep(3)), nonce (or simple time limited form), and IP limiting. Yes, IP limiting even if the poll wasn’t created with that prevention option. Basically by allowing only a one vote in an hour from a single IP address unless if the user is logged in.

As admin-side user-interface goes, it might need some caring hand. I would make the labels readable, meaningful for humans. Like simply just replacing boolean dropdown with simple Yes and No options. The list’s sortable column headings do not seem to work exactly as intended. Sorting by vote_title adds class to two a columns. Sorting by cheat_method adds class to vote_id.

Public-side performance could be improved greatly by adding indexes. All polls are selected based on the ID, including the votes. Giving vote_id field (in vote_count table) a index makes selecting go smoothly when you have total 1.5 million votes. Without the index, it will take a hour to select the rows for that vote_id.

Other optimization you might want to consider are the calculations. Technically calculations need to only take place when a vote is added. That is when the stats change. The problem heavy users may run into is collecting the votes and then calculating the results. The more votes you get the slower it gets. By doing calculations only on a vote, means that users don’t have to sit there waiting for the page to load for a hour. Of course if the results are not visible to all, then that doesn’t matter. But if they are, then it can become a problem.

Edit. geo_vote_meta_check() refers to two non-existing tables PFX.GEO_VOTE_COUNT and PFX.GEO_VOTE_META, generating two warnings (Warning: Table 'PFX.GEO_VOTE_COUNT' doesn't exist... etc) when deleting a poll. You could actually remove geo_vote_meta_check altogether. The check is not needed before deleting, and neither is the error suppression before safe_delete(). Safe_delete will only return a notice/warning when the query is incorrect (table is missing or damaged, or mysql user has no permissions to delete).

Last edited by Gocom (2012-02-25 01:36:24)

Offline

#8 2012-03-01 16:31:30

geoff777
Plugin Author
From: Benarrabá Andalucía Spain
Registered: 2008-02-19
Posts: 282
Website

Re: geo_vote

I’ve updated the plugin to address the issues raised by Gocom.

If I can suggest that as a courtesy to the author any future security issues generated by any plugins (not just mine) are notified directly to the plugin author (as is with the Textpattern core) so they can be fixed before they are made public?

I’ve had to add the code again here as I can’t update on .org as I don’t have a login.
Perhaps Uli will kindly upload it again for me?

There are so many possible combinations of options and events. I have been testing for some time. I hope this release is stable and secure.

{Edited to remove the plugin code. – Uli}

Last edited by uli (2012-03-01 17:06:55)


There are 10 types of people in the world: those who understand binary, and those who don’t.

Offline

#9 2012-03-01 17:08:15

uli
Moderator
From: Cologne
Registered: 2006-08-15
Posts: 4,207

Re: geo_vote

geoff777 wrote:

Perhaps Uli will kindly upload it again for me?

Yup, done! Download link is still in the first post.


In bad weather I never leave home without wet_plugout, smd_where_used and adi_form_links

Offline

#10 2013-04-27 06:31:32

raminrahimi
Member
From: India
Registered: 2013-03-19
Posts: 243

Re: geo_vote

I’ve installed this plugin, but have some problem !
when i vote, this message appear: Try again, the voting form has a security time limit
even i changed the date and Voting Fraud Prevention Method settings…

Offline

Board footer

Powered by FluxBB