Page themes fixed...
Go to page Previous  1, 2  :| |:
-> AFV News Discussion Board

#16: Re: Page themes fixed... Author: Doug_KibbeyLocation: The Great Satan PostPosted: Sun Feb 05, 2012 10:26 pm
    ----
The chief building superintendent sez:

"I've come across some information on this. Since the update prior to this last one, the updated BBcode has changed and that new change will not allow spaces in the URL link. A request to revamp the code has been made..."

...roughly meaning: "We've asked, and are awaiting a response, about which we haven't a lot of say."

#17: Re: Page themes fixed... Author: Smashy PostPosted: Mon Feb 06, 2012 12:09 am
    ----
- Doug_Kibbey
The chief building superintendent sez:

"I've come across some information on this. Since the update prior to this last one, the updated BBcode has changed and that new change will not allow spaces in the URL link. A request to revamp the code has been made..."

...roughly meaning: "We've asked, and are awaiting a response, about which we haven't a lot of say."


This is very important as linux web servers allow users to create folder names & file names with spaces in them and there are a heck of a lot of linux web servers out there.

If I remember correctly the workaround is you must surround the filename with quotation marks?

#18: Re: Page themes fixed... Author: Doug_KibbeyLocation: The Great Satan PostPosted: Mon Feb 06, 2012 11:36 pm
    ----
- Smashy
- Doug_Kibbey
The chief building superintendent sez:

"I've come across some information on this. Since the update prior to this last one, the updated BBcode has changed and that new change will not allow spaces in the URL link. A request to revamp the code has been made..."

...roughly meaning: "We've asked, and are awaiting a response, about which we haven't a lot of say."


This is very important as linux web servers allow users to create folder names & file names with spaces in them and there are a heck of a lot of linux web servers out there.

If I remember correctly the workaround is you must surround the filename with quotation marks?



Here's the latest (and we can assume final) word on this subject:

"I'm still looking into this issue and this is what I've learned to date...

The BBcode code writers, (the code used on most forums and here at CC), has found a security issue with the older code which allowed spaces in the URL link. At the moment, the code writers are 'sticking to their guns' about not allowing spacing in URL's.

Some of the pic hosting sites on the web such as PhotoBucket allow using spaces in their URL's so it's going to be a bigger problem than some realize if those sites don't update their policies. It's too easy to include malicious code in broken (using spaces) URL's and that could include redirect scripts that would allow a hacker to point others to a different site than you had intended to use or inserting JAVA code to install hacker code into your personal computer.

A more 'techy' point of view:

One way to think about this problem is as well to check on server side that GET and POST request are not equivalent.

A POST request can alter data in server side, a GET request mustn't change anything. That's the HTTP protocol. An IMG tag is a GET request, always. And the browser can perform this GET request without any risk, so the problem is on server side, every action that can change alter data (database, session, etc) must check the request is a POST one. For example your /post url, should return asking for a POST confirmation. If this is wrong in your application, then you'll have problems not only with altered IMG tags, but maybe as well with 'html page speeders' that make preload of GET references, or even bots.

It's possible to 'force' (rewrite) the code, but I think we should error in the way of security as it's our duty to try to protect our users as much as possible."




Sorry for any inconvenience, but site and member safety come first, as it should be.
I'm no authority, but I have plenty of anecdotal experience that suggests that it's not good practice to include spaces in any filenames, etc....and it's also not wise to make them any longer than they have to be.

#19: Re: Page themes fixed... Author: Roy_A_LingleLocation: El Paso & Ft Bliss, Texas PostPosted: Tue Feb 07, 2012 10:20 pm
    ----
Hi Doug! Hi Folks!

Thanks for the update! The last thing we all need is to lose another site.

Sgt, Scouts out!



-> AFV News Discussion Board

All times are GMT - 6 Hours

Go to page Previous  1, 2  :| |:
Page 2 of 2