I'm finally upgrading to XOOPS 2.4.4 (from 2.3.3b) on a site and they are currently using Protector 3.41 (as are most of the sites I'm working with). XOOPS 2.4.4 contains Protector module 3.40 (slightly modified, as it says in the documentation).

I've done the upgrade and Protector 3.41 seems to be working. I've done a diff on the modified version and "slightly modified" is quite a number of files, mostly related to some preload stuff as well as "making it easier to use for a number of types of users".

Can someone explain to me an overview of what this modified version brings to the board? What are the reasons that 3.40 modified would be better than 3.41 (slightly modified version of 3.40, but differently).

I'm trying to understand at a high level what one is losing using the module developer's latest version and why one should use the core version.

Thanks!

To make clear the following discussion, let's straight out the versions.
There are actual three:
-3.40 Original Protector module
-3.40 Protector 3.40 as changed for XOOPS, let's call that 3.40x
-3.41 Original Protector module

The differences between 3.40 and 3.40x seems very limited and handle the import of some XOOPS definitions and presets for paths and language. Don't know of this is actual still needed.
Other modifications are some arguments or calls done by reference or direct (& operator). (Not sure about this ones. Compatibility later PHP versions?)
But AFAIK in general there are no changes in the working or behaviour of the Protector module.
Trabis or phppp could comment more on these changes.

The difference between 3.40 and 3.41 are some minor bug fixes for swc upload handling and mutibyte requirement filter.

What is wisest for upgrade?
I think identifying the few changes between 3.40 and 3.41 and implement them in 3.40X.
xoops_lib/modules/protector/class/protector.php
xoops_lib/modules/protector/filters_disabled/postcommon_post_need_multibyte.php
xoops_lib/modules/protector/include/version.txt
and if applicable
xoops_lib/modules/protector/languages/spanish
xoops_lib/modules/protector/languages/polish_utf8

In the next version of Protector 3.50beta, there will be two new features:
- configuration of the filters (now you have to copy them from the 'disabled' directory to the 'enabled' directory and vice versa)
- check on configuration options

Xoops version allows protector module to be used on public folder without compromising security. It also makes use of preloads, so there is no need to change mainfile.php.

The behaviour of the module did not changed.

Yeah, I'd done a DIFF of the 3.40 and 3.40x versions and didn't see much that said I needed to use 3.40x over 3.41. Since 3.41 is working fine, I don't see any real reason to use an older and customized version of Protector module (or any others for that matter).

I also don't understand why we would want to use a hacked version of a module that is constantly under development. Are we working with GIJoe to make the appropriate changes in the Protector module to work with all versions of XOOPS?

Because the web is filled with dangerous crocodiles (script kiddiez and worse), we want to be able to keep our sites protected as best as possible and protect against the latest exploits. Since the Protector releases aren't synchronized with the XOOPS releases, it doesn't make sense to leave XOOPS installs vulnerable to the latest exploits requiring users to use hacks and do diffs and such. Also, the latest info I've read is that the preload aspects used in the 2.4.x and 2.5.x series (with an end-of-life in 2.6.x series) may be dropped or changed altogether.

So, again, I'm trying to understand the purpose of the hacks, not the fact that it didn't change anything.

I guess the real question is: What do they ADD or do that is better than 3.40 or 3.41?

Quote:
If you have your xoops_lib in a private folder and you do not mind to hack mainfile, there is no reason to use xoops version of protector.

Quote:
GIJoe is very clear on saying that protector is not to be used on public folder. Unfortunatly, not every user have permissions to do so. For those users, the original protector module is not useful since it allows hackers to do directory travessal.


Quote:

I thought I was clear enough on what was added and why.

Thanks for the response trabis!

trabis wrote:Quote:If I understand, should I decide to use the 3.41 (non-xoops244-ified) versions, then I should use the pre-/post-check code per the instructions (I'd disabled those for the moment while doing some integration and regression testing, so will re-enable them). And I don't mind hacking mainfile. I use the xoRewriteModule, too.

Quote:Understood. I'd suggest changing hosting providers since it's easy and cheap to find, but I also understand providing a solution for those who are constrained to using inherently insecure setups.

Quote:I'm obviously a touch dense. Thanks for the clarification.

What I heard:
= If you can have a true trust path outside root, use whatever GIJoe version of Protector you want, but include the pre-/post-check code in mainfile.
= If you must have xoops_lib and trust path inside the doc root, use the module 3.40x as included with the XOOPS release.

Thanks again!

Quote:

You've heard fine!

And if you want the 3.41 corrections, as said before, add them yourself in the files, as they are rather small.