|
|
| RE: Porn on GForge.org |
|
2007-03-10 00:47:20 |
|
I was working with the user on the IRC who
reported this issue. I supplied a fixed download.php which only allows content
type text/plain to be returned directly, every other type is returned as application/octet-stream.
I’ve attached the fixed download.php. At least this way the porn
spammers don’t get free page service and hopefully the spam receivers
will be scared off by the offer to download a file. ; This might discourage
the spammers.
Also I created this query to quickly find
all the suspect downloads and generate urls to all the parent artifacts.
Someone with admin access can use it to clean up gforge.org
select "http://gforge.org/tracker/index.php?func=detail&aid="
|| artifact.artifact_id || "&;group_id=" || group_id ||
"&atid=" || agl.group_artifact_id from ((artifact_file inner join
artifact on artifact_file.artifact_id = artifact.artifact_id) inner join
artifact_group_list AS agl on agl.group_artifact_id =
artifact.group_artifact_id) where filetype = "text/html"
|
 |
| RE: RE: Porn on GForge.org |
|
2007-03-10 01:41:11 |
|
Actually you probably want to add distinct
to the query so it becomes:
select distinct "http://gforge.org/tracker/index.php?func=detail&aid="
|| artifact.artifact_id || "&;group_id=" || group_id ||
"&atid=" || agl.group_artifact_id from ((artifact_file inner join
artifact on artifact_file.artifact_id = artifact.artifact_id) inner join
artifact_group_list AS agl on agl.group_artifact_id =
artifact.group_artifact_id) where filetype = "text/html"
From:
gforge-devel-bounces lists.gforge.org
[mailto:gforge-devel-bounceslists.gforge.org] On Behalf Of Robert Nelson
Sent: Friday, March 09, 2007 10:47
PM
To: gforge-devellists.gforge.org
Subject: [Gforge-devel] RE: Porn
on GForge.org
Importance: High
I was working with the user on the IRC who
reported this issue. I supplied a fixed download.php which only allows
content type text/plain to be returned directly, every other type is returned
as application/octet-stream. I’ve attached the fixed
download.php. At least this way the porn spammers don’t get free
page service and hopefully the spam receivers will be scared off by the offer
to download a file. ; This might discourage the spammers.
Also I created this query to quickly find
all the suspect downloads and generate urls to all the parent artifacts.
Someone with admin access can use it to clean up gforge.org
select "http://gforge.org/tracker/index.php?func=detail&aid="
|| artifact.artifact_id || "&;group_id=" || group_id ||
"&atid=" || agl.group_artifact_id from ((artifact_file inner join
artifact on artifact_file.artifact_id = artifact.artifact_id) inner join
artifact_group_list AS agl on agl.group_artifact_id =
artifact.group_artifact_id) where filetype = "text/html"
|
| Re: RE: Porn on GForge.org |
 
United States |
2007-03-10 07:03:39 |
Robert Nelson wrote:
> Actually you probably want to add distinct to the query
so it becomes:
>
>
>
> select distinct "http://gforge.org/tracker/index.php?func=detail&am
p;aid="
> || artifact.artifact_id || "&group_id="
|| group_id || "&atid=" ||
> agl.group_artifact_id from ((artifact_file inner join
artifact on
> artifact_file.artifact_id = artifact.artifact_id) inner
join
> artifact_group_list AS agl on agl.group_artifact_id =
> artifact.group_artifact_id) where filetype =
"text/html"
We probably just need to require a login in order to
download anything.
That would solve the problem of using it as a public file
host.
--
Tim Perdue,
http://gforgegroup.com
PH 515-554-9520
FAX 504-910-3655
_______________________________________________
Gforge-devel mailing list
Gforge-devellists.gforge.org
http://lists.gforge.org/mailman/listinfo/gforge-devel
|
|
| RE: RE: Porn on GForge.org |
|
2007-03-10 12:27:17 |
I think the following should be done:
Require login to download
Map text/* to text/plain
Map everything else to application/octet-stream
Add an option to handle new user registrations like new
projects and
require approval from an admin.
> -----Original Message-----
> From: gforge-devel-bounceslists.gforge.org
[mailto:gforge-devel-
> bounceslists.gforge.org] On Behalf Of Tim Perdue
> Sent: Saturday, March 10, 2007 5:04 AM
> To: gforge-devellists.gforge.org
> Subject: Re: [Gforge-devel] RE: Porn on GForge.org
>
> Robert Nelson wrote:
> > Actually you probably want to add distinct to the
query so it becomes:
> >
> >
> >
> > select distinct "http://gforge.org/tracker/index.php?func=detail&am
p;aid="
> > || artifact.artifact_id ||
"&group_id=" || group_id ||
"&atid=" ||
> > agl.group_artifact_id from ((artifact_file inner
join artifact on
> > artifact_file.artifact_id = artifact.artifact_id)
inner join
> > artifact_group_list AS agl on
agl.group_artifact_id =
> > artifact.group_artifact_id) where filetype =
"text/html"
>
> We probably just need to require a login in order to
download anything.
> That would solve the problem of using it as a public
file host.
>
> --
> Tim Perdue,
> http://gforgegroup.com
>
> PH 515-554-9520
> FAX 504-910-3655
> _______________________________________________
> Gforge-devel mailing list
> Gforge-devellists.gforge.org
> http://lists.gforge.org/mailman/listinfo/gforge-devel
_______________________________________________
Gforge-devel mailing list
Gforge-devellists.gforge.org
http://lists.gforge.org/mailman/listinfo/gforge-devel
|
|
| RE: RE: Porn on GForge.org |
|
2007-03-11 04:40:30 |
I just committed a fix to download.php that adds the
requirement that the
user be logged in to download files. I also changed the
disposition from
the filename to "attachment". This causes the
browser to always ask whether
to open or save the file.
My suggestion to change the Content-Type header didn't help
for all the
browsers in all situations.
I committed this change to both the trunk and the 4.6
branch.
It should probably also go into the 4.5 branch.
> -----Original Message-----
> From: gforge-devel-bounceslists.gforge.org
[mailto:gforge-devel-
> bounceslists.gforge.org] On Behalf Of Robert Nelson
> Sent: Saturday, March 10, 2007 10:27 AM
> To: gforge-devellists.gforge.org
> Subject: RE: [Gforge-devel] RE: Porn on GForge.org
>
> I think the following should be done:
>
> Require login to download
>
> Map text/* to text/plain
> Map everything else to application/octet-stream
>
> Add an option to handle new user registrations like
new projects and
> require approval from an admin.
>
> > -----Original Message-----
> > From: gforge-devel-bounceslists.gforge.org
[mailto:gforge-devel-
> > bounceslists.gforge.org] On Behalf Of Tim Perdue
> > Sent: Saturday, March 10, 2007 5:04 AM
> > To: gforge-devellists.gforge.org
> > Subject: Re: [Gforge-devel] RE: Porn on
GForge.org
> >
> > Robert Nelson wrote:
> > > Actually you probably want to add distinct to
the query so it becomes:
> > >
> > >
> > >
> > > select distinct "http://gforge.org/tracker/index.php?func=detail&am
p;aid="
> > > || artifact.artifact_id ||
"&group_id=" || group_id ||
"&atid=" ||
> > > agl.group_artifact_id from ((artifact_file
inner join artifact on
> > > artifact_file.artifact_id =
artifact.artifact_id) inner join
> > > artifact_group_list AS agl on
agl.group_artifact_id =
> > > artifact.group_artifact_id) where filetype =
"text/html"
> >
> > We probably just need to require a login in order
to download anything.
> > That would solve the problem of using it as a
public file host.
> >
> > --
> > Tim Perdue,
> > http://gforgegroup.com
> >
> > PH 515-554-9520
> > FAX 504-910-3655
> > _______________________________________________
> > Gforge-devel mailing list
> > Gforge-devellists.gforge.org
> > http://lists.gforge.org/mailman/listinfo/gforge-devel
>
>
>
> _______________________________________________
> Gforge-devel mailing list
> Gforge-devellists.gforge.org
> http://lists.gforge.org/mailman/listinfo/gforge-devel
_______________________________________________
Gforge-devel mailing list
Gforge-devellists.gforge.org
http://lists.gforge.org/mailman/listinfo/gforge-devel
|
|
| Re: RE: Porn on GForge.org |
United States |
2007-03-11 09:32:25 |
Robert Nelson wrote:
> I just committed a fix to download.php that adds the
requirement that the
> user be logged in to download files. I also changed
the disposition from
> the filename to "attachment". This causes
the browser to always ask whether
> to open or save the file.
>
> My suggestion to change the Content-Type header didn't
help for all the
> browsers in all situations.
>
> I committed this change to both the trunk and the 4.6
branch.
>
> It should probably also go into the 4.5 branch.
Thanks, did you add to the doc mgr, forums, snippets, frs ?
Those are potential trouble spots too. FRS and Doc Mgr need
an admin to
approve the file so it's not as much of a problem.
--
Tim Perdue,
http://gforgegroup.com
PH 515-554-9520
FAX 504-910-3655
_______________________________________________
Gforge-devel mailing list
Gforge-devellists.gforge.org
http://lists.gforge.org/mailman/listinfo/gforge-devel
|
|
| RE: RE: Porn on GForge.org |
|
2007-03-14 17:37:43 |
> -----Original Message-----
> From: gforge-devel-bounceslists.gforge.org
[mailto:gforge-devel-
> bounceslists.gforge.org] On Behalf Of Tim Perdue
> Sent: Sunday, March 11, 2007 7:32 AM
> To: gforge-devellists.gforge.org
> Subject: Re: [Gforge-devel] RE: Porn on GForge.org
>
> Robert Nelson wrote:
> > I just committed a fix to download.php that adds
the requirement that
> the
> > user be logged in to download files. I also
changed the disposition
> from
> > the filename to "attachment". This
causes the browser to always ask
> whether
> > to open or save the file.
> >
> > My suggestion to change the Content-Type header
didn't help for all the
> > browsers in all situations.
> >
> > I committed this change to both the trunk and the
4.6 branch.
> >
> > It should probably also go into the 4.5 branch.
>
> Thanks, did you add to the doc mgr, forums, snippets,
frs ?
>
> Those are potential trouble spots too. FRS and Doc Mgr
need an admin to
> approve the file so it's not as much of a problem.
>
I have fixes for all of these. The changes I made were
primarily to add
attachment to Content-disposition. This ensures that the
user is prompted
whether to download or open the file. This reduces the
chances of malicious
attachments being processed on users' machines without their
interaction.
I changed Forum and Tracker attachment downloads so the user
must be logged
in. I didn't require the user to be logged in to download
FRS or DocMan
files since these must be either uploaded or approved by an
admin or project
member. I felt that requiring a logged in user would
interfere with
automated downloads and installations.
I also enhanced the snippets so that the suggested filename
is snippet_$id
with the language specific extension appended, for example
snippet_1.c.
Should I commit all these changes to the 4.6 branch?
> --
> Tim Perdue,
> http://gforgegroup.com
>
> PH 515-554-9520
> FAX 504-910-3655
> _______________________________________________
> Gforge-devel mailing list
> Gforge-devellists.gforge.org
> http://lists.gforge.org/mailman/listinfo/gforge-devel
_______________________________________________
Gforge-devel mailing list
Gforge-devellists.gforge.org
http://lists.gforge.org/mailman/listinfo/gforge-devel
|
|
| Re: RE: Porn on GForge.org |
United States |
2007-03-14 17:53:07 |
Robert Nelson wrote:
> I have fixes for all of these. The changes I made were
primarily to add
> attachment to Content-disposition. This ensures that
the user is prompted
> whether to download or open the file. This reduces the
chances of malicious
> attachments being processed on users' machines without
their interaction.
>
> I changed Forum and Tracker attachment downloads so the
user must be logged
> in. I didn't require the user to be logged in to
download FRS or DocMan
> files since these must be either uploaded or approved
by an admin or project
> member. I felt that requiring a logged in user would
interfere with
> automated downloads and installations.
>
> I also enhanced the snippets so that the suggested
filename is snippet_$id
> with the language specific extension appended, for
example snippet_1.c.
>
> Should I commit all these changes to the 4.6 branch?
That'd be great, thanks.
--
Tim Perdue,
http://gforgegroup.com
PH 515-554-9520
FAX 504-910-3655
_______________________________________________
Gforge-devel mailing list
Gforge-devellists.gforge.org
http://lists.gforge.org/mailman/listinfo/gforge-devel
|
|
| RE: RE: Porn on GForge.org |
|
2007-03-15 01:13:57 |
> -----Original Message-----
> From: gforge-devel-bounceslists.gforge.org
[mailto:gforge-devel-
> bounceslists.gforge.org] On Behalf Of Tim Perdue
> Sent: Wednesday, March 14, 2007 3:53 PM
> To: gforge-devellists.gforge.org
> Subject: Re: [Gforge-devel] RE: Porn on GForge.org
>
> >
> > I also enhanced the snippets so that the suggested
filename is
> snippet_$id
> > with the language specific extension appended, for
example snippet_1.c.
> >
> > Should I commit all these changes to the 4.6
branch?
>
> That'd be great, thanks.
>
I've updated Branch-4_6 and trunk with the changes.
By the way, my commits still aren't appearing on the
Gforge-commits mailing
list.
_______________________________________________
Gforge-devel mailing list
Gforge-devellists.gforge.org
http://lists.gforge.org/mailman/listinfo/gforge-devel
|
|