Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2014-05-22 09:11:30

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,263
GitHub

Can a plugin override rss.php code?

I’m not a programmer, so consider this a newbie question.

I’d like to change the output of RSS and Atom feeds. It’s a pretty minor change and I would prefer to not hack out core code. With that in mind, is it possible to patch/change/whatever a line of code in rss.php (and atom.php) with a plugin? I haven’t yet found any existing plugins that do this, so I can’t tell if it’s going to work or not.

Advice and clarification appreciated. Thanks.

Offline

#2 2014-05-22 12:28:14

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,091
Website GitHub Mastodon Twitter

Re: Can a plugin override rss.php code?

Yes… and no. Using rah_external_output you can create a custom feed whose address would be something similar to http://yoursite.tld/?rah_external_output=feed


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#3 2014-05-22 12:54:56

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,263
GitHub

Re: Can a plugin override rss.php code?

Hey Yiannis – that’s what I figured. Thanks for the confirmation.

Here’s the background (which I omitted earlier when I got distracted): assuming a website has its feeds enabled, it’s trivial to find out what version of Textpattern it’s running on. Let’s take the (third-party) Textpattern demo as an example:

<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom">
<channel><generator>http://textpattern.com/?v=4.4.1</generator>
<title>My Site</title>
<link>http://demo.opensourcecms.com/textpattern/</link>
<atom:link href="http://demo.opensourcecms.com/textpattern/rss/" rel="self" type="application/rss+xml" />
<description>My pithy slogan</description>

…which then makes it easy to check against known vulnerabilities and exploit the site (for the nefarious: Project Find A Four Point Four And F__k It Up).

Wordpress does the same with the <generator> tag in its RSS and Atom, I imagine most CMSes probably do something similar. I want to — at the very least — turn the version off, without disabling the in-built syndication for existing subscribers (an .htaccess rewrite won’t be pretty). It looks like either editing core files is the way to do this.

Offline

#4 2014-05-22 14:20:41

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,091
Website GitHub Mastodon Twitter

Re: Can a plugin override rss.php code?

Hi Pete

It seems that it is easy to edit the files.

In txp v4.41

In atom.php delete version="'.$version.'" on line 67)

out[] = tag('Textpattern','generator',' uri="http://textpattern.com/" version="'.$version.'"');

and in rss.php replace

out[] = tag('http://textpattern.com/?v='.$version, 'generator');

with

out[] = tag('http://textpattern.com/', 'generator');
on line 48

I am not a programmer either so I hope that somebody who understands more can confirm that the deletions will not break the whole internet as we got to know it.


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#5 2014-05-22 14:22:02

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,263
GitHub

Re: Can a plugin override rss.php code?

Hi Yiannis – yes, that’s what I was looking at to scrub out. Thanks for the second pair of eyes, I appreciate it.

Offline

#6 2014-05-22 17:33:18

etc
Developer
Registered: 2010-11-11
Posts: 5,195
Website GitHub

Re: Can a plugin override rss.php code?

If you don’t want to touch the core, this simple public-side plugin might help:

register_callback('abc_feed', 'pretext_end');

function abc_feed() {
	global $pretext;
	if(isset($pretext['feed'])) {
		$pretext['abc_feed'] = $pretext['feed'];
		$pretext['feed'] = 'abc_feed_cleanup';
	}
}

function abc_feed_cleanup() {
	global $pretext;
	$feed = $pretext['abc_feed'];
	return preg_replace('/<generator[^>]*>.*<\/generator>/Us', '<generator>Textpattern</generator>', $feed());
}

Offline

#7 2014-05-22 19:17:42

Gocom
Developer Emeritus
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: Can a plugin override rss.php code?

Hiding the version number doesn’t protect your website and doing so is ultimately just adds to the maintenance burden.

If I had any personal interest in your website, I would check the same holes regardless. Now, if for some absurd reason I had any interest in telling the Textpattern version you are using, there are other ways to tell that, starting from checking existing files to modification timestamps, or looking at the checksum file, readmes or language files. All which are publicly accessible and announce the version either directly or by their contents. Even if you totally hide the admin-side interface, you can still ask Textpattern by doing a feature check.

If there is known vulnerability somewhere, even a trained monkey can find it. Scripts and automated penetration tools are a thing.

Last edited by Gocom (2014-05-22 19:18:19)

Offline

#8 2014-05-23 09:11:48

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,263
GitHub

Re: Can a plugin override rss.php code?

Oleg: thank you, that’s very useful.

Jukka: I respectfully disagree that this situation warrants use of the word ‘absurd’, I’m looking at a number of factors that might advertise what I’m using on my Textpattern websites. There have been vulnerabilities discovered in older versions of Textpattern, and they have been resolved with updated versions – this is fact. Running a safe and secure website is important to me, and while I might be considered an edge case, if I can strip back some or most of the identifiers that would give someone a clue as to how to get in, I consider this time well spent.

I have been targeted before. I have people (from a previous career in data security) who come out of the woodwork occasionally and attempt to deface/break my sites. This is something I have to deal with, and there’s nothing I can do to prevent that happening. I can limit the scope for damage, of course, but until they get bored or fulfil whatever remit they have, I will deal with them as I can. You’re far, far smarter than I am and will ever be – but my question was a valid one.

Offline

#9 2014-05-23 12:33:08

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,454
Website GitHub

Re: Can a plugin override rss.php code?

Regardless of employing security through obscurity, I’ve never quite figured out why the version number is in the feed. It goes to textpattern.com?v=x.y.z. Does that track usage? Unlikely. So what’s the point?

The only thing I use it for is when potential clients knock on my digital door asking for site assistance: it’s a quick and easy way for me to check which version of Txp they’re running so I can give a more accurate quote (since I can gauge the extent of plugins likely to break, for example), and offer an upgrade as part of the process ;-)

Without that indicator I’d have to wait for them to tell me, send me a login, or resort to some simple hashing script (as Jukka alludes) to figure out the version installed.

As you can appreciate, while removing the indicator might keep the amateurs out, it’s not going to deter someone who knows what they’re doing (and it sounds like your prior acquaintances might be in the latter category). And there are countless other exploits in the sourrounding ecosystem that might be softer targets which can lead to your site’s exposure, e.g. PHP, MySQL, my plugins, other WordPress users on the same physical node at your hosting provider, people with crap admin passwords, …

In the physical world, I have to install a five-lever mortice lock on my front door and agree to keep the windows closed before I can get competitive house insurance, but if someone is determined to get inside for my prized collection of neck ties, they’ll jimmy the entire doorframe from the brickwork or smash a window.

All that said, if there’s no real reason for leaking the version in the feeds then I can get rid of it. In the meantime, Oleg’s plugin solution seems the most tenable approach.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#10 2014-05-23 15:19:01

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,263
GitHub

Re: Can a plugin override rss.php code?

Stef – thanks for your reply. I am not suggesting or proposing removing this from core, not at all. I’m an edge case, and I’m totally OK with that. The generator section is RSS/Atom is not required to validate, as I understand it – and I’d prefer not to tool around with core files, so — as you say — Oleg has the solution for me.

Offline

Board footer

Powered by FluxBB