Topic: Upgrade 1.4.21 (Read 8097 times)

b2k · « **on:** March 06, 2009, 01:30:38 am »

I installed successfully the 1.4.21 security fix (in functions.inc.php), on my 1.4.20 installation.

Anyway, as I'm the only user of my gallery (nobody else me can add comment, image, description, etc...), am I concerned by this bbcode security issue ?

Do I need really need to proceed this security patch ?

If answer is yes, is there any solution to add links in album and categories descriptions ? (html <a href... doesn't works). Removing links from descriptions is very less comfortable for my visitors...

Thanks for your help and advices.

Joachim Müller · « **Reply #1 on:** March 06, 2009, 08:27:16 am »

No, if you're the only one who can enter bbcode into form fields then you're safe, i.e. if you're running a monolithic gallery where the only user interaction comes from you (the admin). In that case (and only in that case) it's safe to undo the patch and allow the processing of the bbcode tags [ u r l ] and [ i m g ]

Ludo · « **Reply #2 on:** March 06, 2009, 10:41:27 am »

Does this apply to my case too?
I have only one registered user (a member of this community ), applied captcha mod to registration page and request admin approval for new members.
I figure that no BBCode can be placed if uploads and comments are disabled...am I wrong?

Fabricio Ferrero · « **Reply #3 on:** March 06, 2009, 01:56:25 pm »

Quote from: Ludo on March 06, 2009, 10:41:27 am

Does this apply to my case too?

Quote from: Joachim Müller on March 06, 2009, 08:27:16 am

if you're the only one who can enter bbcode into form fields then you're safe

Quote from: Ludo on March 06, 2009, 10:41:27 am

I figure that no BBCode can be placed if uploads and comments are disabled...am I wrong?

You're right.

Ludo · « **Reply #4 on:** March 06, 2009, 05:10:47 pm »

Hope I am

May I re-enable safely uploads and comments for registered users, or better wait for definitive fix?

b2k · « **Reply #5 on:** March 07, 2009, 06:44:23 pm »

Quote from: Joachim Müller on March 06, 2009, 08:27:16 am

No, if you're the only one who can enter bbcode into form fields then you're safe, i.e. if you're running a monolithic gallery where the only user interaction comes from you (the admin). In that case (and only in that case) it's safe to undo the patch and allow the processing of the bbcode tags [ u r l ] and [ i m g ]

Yes, nobody has access to any form field (except search field

).

I will undo the patch ,

Thanks for your help !

Joachim Müller · « **Reply #6 on:** March 08, 2009, 01:45:42 pm »

Quote from: Ludo on March 06, 2009, 05:10:47 pm

May I re-enable safely uploads and comments for registered users, or better wait for definitive fix?

If you have upgraded to cpg1.4.21 and have left the bbcode code in functions.inc.php as-is, you can savely re-enable comments and uploads by users.

Ludo · « **Reply #7 on:** March 08, 2009, 04:39:13 pm »

No, the question was related to v. 1.4.20!

Hercules24 · « **Reply #8 on:** March 12, 2009, 12:40:58 am »

Same here, I'm the only registered user and comments are off.
However: people can send e-cards (I've seen e-card spam before), is this exploit also possible via e-card [url] tags?
I disabled e-cards now also to be safe.

Joachim Müller · « **Reply #9 on:** March 13, 2009, 09:03:19 am »

One issue per thread. Locking.
You need to upgrade, that's what developers say. Anything else is entirely up to you and at your own risk. We will definitely not say "stick to cpg1.4.20 if you don't want to lose the bbcode features that have been temporarily been dropped". In fact, we say quite the opposite: upgrade to the most recent stable release cpg1.4.21 no matter what.

News:

Author Topic: Upgrade 1.4.21 (Read 8097 times)

b2k

Upgrade 1.4.21

Joachim Müller

Re: Upgrade 1.4.21

Ludo

Re: Upgrade 1.4.21

Fabricio Ferrero

Re: Upgrade 1.4.21

Ludo

Re: Upgrade 1.4.21

b2k

Re: Upgrade 1.4.21

Joachim Müller

Re: Upgrade 1.4.21

Ludo

Re: Upgrade 1.4.21

Hercules24

Re: Upgrade 1.4.21

Joachim Müller

Re: Upgrade 1.4.21