From geeklog-modules-admin at lists.geeklog.net Fri Dec 5 19:21:58 2003 From: geeklog-modules-admin at lists.geeklog.net (geeklog-modules-admin at lists.geeklog.net) Date: Fri, 5 Dec 2003 19:21:58 -0500 Subject: [geeklog-modules] Portal Component Standards are evolving Message-ID: <041101c3bb8e$f62054d0$6b1bfea9@xpbl1> Althought JSR168 is a Java standard that has been in the development for a while. It only recenltly was ratified and the major vendors are getting behind it. Something too look for GL2. They recently just launched a site and are now hosting a project on sourceforge See this article for more: http://www.oetrends.com/news.php?action=view_record&idnum=279 Something I want to look into more and wanted to pass this along. Blaine From geeklog-modules-admin at lists.geeklog.net Wed Dec 10 21:32:45 2003 From: geeklog-modules-admin at lists.geeklog.net (geeklog-modules-admin at lists.geeklog.net) Date: Wed, 10 Dec 2003 21:32:45 -0500 (EST) Subject: [geeklog-modules] Geeklog/Gallery Vulnerbility Fix Message-ID: All that is required to correct this vulnerbility is to remove the line: require_once($GEEKLOG_DIR . '/lib-common.php'); >From the files User.php and UserDB.php in the gallery\classes\geeklog folder. The other locations where $GEEKLOG_DIR is found are preceded by an "include('config.php');" which eliminates the security risk in those areas. (This is because the $GEEKLOG_DIR variable is assigned a value in the config.php file overriding any value passed by GET or POST). It might not be a bad idea to check to be sure that $GEEKLOG_DIR is in the config.php file (though the integration will not work without its presence). I'll put together an update which addresses these problems as soon as I can (perhaps as soon as this weekend). By early next year I'll try to complete a security audit of the geeklog/gallery integration code to try to eliminate all security problems. I appologize to those affected by this problem and I hope that not many machines were compromised as result of this problem. I don't know how long this vulerbility has been in the code, but it has been there for more than a year (since before I began to work on the integration). -Vinny From geeklog-modules-admin at lists.geeklog.net Sun Dec 28 22:53:19 2003 From: geeklog-modules-admin at lists.geeklog.net (geeklog-modules-admin at lists.geeklog.net) Date: Sun, 28 Dec 2003 22:53:19 -0500 Subject: [geeklog-modules] Geeklog Gallery Integration Release Message-ID: <3FEFA52F.1070608@abtech.org> A new release which eliminates the previously discovered security vulnerbilities and updates the gallery version to 1.4.1. The file to download is gallery_1.4.1_1.3.8.tar.gz. The url to download from: http://sourceforge.net/project/showfiles.php?group_id=68255&package_id=69388&release_id=206395 -Vinny From geeklog-modules-admin at lists.geeklog.net Mon Dec 29 23:14:46 2003 From: geeklog-modules-admin at lists.geeklog.net (geeklog-modules-admin at lists.geeklog.net) Date: Mon, 29 Dec 2003 23:14:46 -0500 Subject: [geeklog-modules] Plugin API for usercreate Message-ID: <00f101c3ce8b$75af61f0$640a10ac@XPBL2> The Plugin API for create_user is called by default when a new user self registers. It is being called even if the member submission queue is enabled. I think it should only be called if submission is off or after being approved. Any other thoughts on this? I'm thinking this was not the intended behaviour. Blaine -------------- next part -------------- An HTML attachment was scrubbed... URL: From geeklog-modules-admin at lists.geeklog.net Tue Dec 30 06:12:05 2003 From: geeklog-modules-admin at lists.geeklog.net (geeklog-modules-admin at lists.geeklog.net) Date: Tue, 30 Dec 2003 12:12:05 +0100 Subject: [geeklog-modules] Plugin API for usercreate In-Reply-To: <00f101c3ce8b$75af61f0$640a10ac@XPBL2> References: <00f101c3ce8b$75af61f0$640a10ac@XPBL2> Message-ID: <20031230111205.1194@smtp.haun-online.de> Blaine wrote: >The Plugin API for create_user is called by default when a new user self >registers. It is being called even if the member submission queue is enabled. > >I think it should only be called if submission is off or after being approved. The API function is called when new records for the new user account are created (in the gl_users, gl_userinfo, etc. tables) so that you can create a new record in your (presumed) custom table. There may be cases where it comes in handy to have the exact same number of entries in all user-related tables (I assume ...) and it shouldn't be too much of a hassle to have an additional check to see if the user has been approved yet. In most cases, you will need to access the gl_users table anyway (e.g. to get the user name). bye, Dirk -- http://www.haun-online.de/ http://www.macosx-faq.de/ From geeklog-modules-admin at lists.geeklog.net Tue Dec 30 07:25:45 2003 From: geeklog-modules-admin at lists.geeklog.net (geeklog-modules-admin at lists.geeklog.net) Date: Tue, 30 Dec 2003 04:25:45 -0800 Subject: [geeklog-modules] Plugin API for usercreate In-Reply-To: <20031230111205.1194@smtp.haun-online.de> Message-ID: <4A981AE8-3AC3-11D8-8C44-0050E4E08151@theouldsod.com> Any word on calling these features from the admin user create? I see it as a needed feature, especially for plugins where "it comes in handy to have the exact same number of entries in all user-related tables". Gavin On Tuesday, December 30, 2003, at 03:12 AM, geeklog-modules-admin at lists.geeklog.net wrote: > Blaine wrote: > >> The Plugin API for create_user is called by default when a new user >> self >> registers. It is being called even if the member submission queue is >> enabled. >> >> I think it should only be called if submission is off or after being > approved. > > The API function is called when new records for the new user account > are > created (in the gl_users, gl_userinfo, etc. tables) so that you can > create a new record in your (presumed) custom table. > > There may be cases where it comes in handy to have the exact same > number > of entries in all user-related tables (I assume ...) and it shouldn't > be > too much of a hassle to have an additional check to see if the user has > been approved yet. In most cases, you will need to access the gl_users > table anyway (e.g. to get the user name). > > bye, Dirk > > > -- > http://www.haun-online.de/ > http://www.macosx-faq.de/ > > _______________________________________________ > geeklog-modules mailing list > geeklog-modules at lists.geeklog.net > http://lists.geeklog.net/listinfo/geeklog-modules > From geeklog-modules-admin at lists.geeklog.net Tue Dec 30 08:10:28 2003 From: geeklog-modules-admin at lists.geeklog.net (geeklog-modules-admin at lists.geeklog.net) Date: Tue, 30 Dec 2003 08:10:28 -0500 Subject: [geeklog-modules] Plugin API for usercreate References: <00f101c3ce8b$75af61f0$640a10ac@XPBL2> <20031230111205.1194@smtp.haun-online.de> Message-ID: <000b01c3ced6$4b962480$640a10ac@XPBL2> I'm using the function now ok - and I can certainly add the additional check to see if there is a moderation record as well. It just that it appeared to not be the intended behaviour. I just thought that it would be better to call it after being approved - if the user was. Blaine ----- Original Message ----- From: To: Sent: Tuesday, December 30, 2003 6:12 AM Subject: Re: [geeklog-modules] Plugin API for usercreate > Blaine wrote: > > >The Plugin API for create_user is called by default when a new user self > >registers. It is being called even if the member submission queue is enabled. > > > >I think it should only be called if submission is off or after being > approved. > > The API function is called when new records for the new user account are > created (in the gl_users, gl_userinfo, etc. tables) so that you can > create a new record in your (presumed) custom table. > > There may be cases where it comes in handy to have the exact same number > of entries in all user-related tables (I assume ...) and it shouldn't be > too much of a hassle to have an additional check to see if the user has > been approved yet. In most cases, you will need to access the gl_users > table anyway (e.g. to get the user name). > > bye, Dirk > > > -- > http://www.haun-online.de/ > http://www.macosx-faq.de/ > > _______________________________________________ > geeklog-modules mailing list > geeklog-modules at lists.geeklog.net > http://lists.geeklog.net/listinfo/geeklog-modules >