| Re: Protector Module in XOOPS 2.4.4 |
| by ghia on 2010/7/7 21:02:44 And if you want the 3.41 corrections, as said before, add them yourself in the files, as they are rather small. |
| Re: Protector Module in XOOPS 2.4.4 |
| by trabis on 2010/7/7 20:53:49 Quote:
You've heard fine! |
| Re: Protector Module in XOOPS 2.4.4 |
| by mboyden on 2010/7/7 20:00:31 Thanks for the response trabis! trabis wrote:Quote: If you have your xoops_lib in a private folder and you do not mind to hack mainfile, there is no reason to use xoops version of protector. ![]() Quote: GIJoe is very clear on saying that protector is not to be used on public folder. Unfortunatly, not every user have permissions to do so. For those users, the original protector module is not useful since it allows hackers to do directory travessal. Quote: I thought I was clear enough on what was added and why. Thanks for the clarification.What I heard: = If you can have a true trust path outside root, use whatever GIJoe version of Protector you want, but include the pre-/post-check code in mainfile. = If you must have xoops_lib and trust path inside the doc root, use the module 3.40x as included with the XOOPS release. Thanks again! |
| Re: Protector Module in XOOPS 2.4.4 |
| by trabis on 2010/7/7 18:28:01 Quote:
If you have your xoops_lib in a private folder and you do not mind to hack mainfile, there is no reason to use xoops version of protector. Quote:
GIJoe is very clear on saying that protector is not to be used on public folder. Unfortunatly, not every user have permissions to do so. For those users, the original protector module is not useful since it allows hackers to do directory travessal. Quote:
I thought I was clear enough on what was added and why. |
| Re: Protector Module in XOOPS 2.4.4 |
| by mboyden on 2010/7/7 15:51:26 Yeah, I'd done a DIFF of the 3.40 and 3.40x versions and didn't see much that said I needed to use 3.40x over 3.41. Since 3.41 is working fine, I don't see any real reason to use an older and customized version of Protector module (or any others for that matter). I also don't understand why we would want to use a hacked version of a module that is constantly under development. Are we working with GIJoe to make the appropriate changes in the Protector module to work with all versions of XOOPS? Because the web is filled with dangerous crocodiles (script kiddiez and worse), we want to be able to keep our sites protected as best as possible and protect against the latest exploits. Since the Protector releases aren't synchronized with the XOOPS releases, it doesn't make sense to leave XOOPS installs vulnerable to the latest exploits requiring users to use hacks and do diffs and such. Also, the latest info I've read is that the preload aspects used in the 2.4.x and 2.5.x series (with an end-of-life in 2.6.x series) may be dropped or changed altogether. So, again, I'm trying to understand the purpose of the hacks, not the fact that it didn't change anything. I guess the real question is: What do they ADD or do that is better than 3.40 or 3.41? |