What are the versions of Xoops affected by this ?

Quote:

Quote:

Probably all Xoops versions released so far are affected.

Quote:

I suspect that Hervé was referring to the newly announced 2.0.17.1RC2........... has this fix made it into it?

Will it be included in the "2.0.17.1 Final" and all subsequent releases?

Just so we know if folks ask in the future, which they are sure to do

The files /class/uploader.php and /class/mimetypes.inc.php are the same in the uploader patch as they are in Xoops 2.0.17 RC2.
So the patch made it into 2.0.17.1 RC2.

I think we can assume that this security patch will be included in the 2.0.17.1 final version too.

McDonald is correct.

Quote:

<pedant mode>

So it's not applicable to all versions

</pedant mode>

The above comment is made with humorius intent. The comment below is sincere.

Thanks for the update - much appreciated

My question was asked to know if it was for the 2.0.17 version or ALL the versions but I had the answer.

I wonder if the patched uploader IS secure? If I get this right mimetype checking is relying on what the browser delivers on mimetype information.

Maybe there should be checks made afterwards with THIS or even better THIS.

But as a drawback, certain things have to be properly set resp. installed. Maybe we can see this in the next version?

Frank,

That's just a comment from myself, I've been playing with mime_content_type, it relies on a file that is not always installed and not always up to date and I did not get much more success with the finfo functions.

But you are true, the information coming from the browser is not trusty.

** EDIT by myself **
If you use this patch with a version of Xoops older than the 2.0.17 you will have some problems because this class uses some defines that don't exist in older versions (for example in the 2.0.16)

Other point, when the file size is not set by the module, the class returns true (in checkMaxFileSize()) as if everything was ok. I think it will be disturbing for users to have a module that is telling them that the upload was ok when it's not true no ?



Hervé.

Perhaps we should focus 2.0.18 on all possible vuln

Quote:
come on, guys, is the "patch of the patch" process going to be a new dev rule? do the core dev test their work?
please don't make again old mistakes, and learn from past. it's really not time to play again old bad errors, this will confuse community.

Moreover, i hope you will add in the 2.0.17.1 changelog some informations about the hervet's comment ("Other point, when the file size is not set by the module, the class returns true (in checkMaxFileSize()) as if everything was ok. I think it will be disturbing for users to have a module that is telling them that the upload was ok when it's not true no ?")

good evening.

Is it necessary for Xoops 2.0.16?

Do you recommend to take a backup first?

Quote:

I'm using the patch with 2.0.7.3 and up to now it seems not to make any problems.
What defines do you talk about? Language defines? (I also did an update of them).

I know the announcement says all versions, but in response to Hervet's comment, can we have a definitive confirmation from core team - is this patch suitable to apply to all versions of Xoops (2.0.7. 10, 13, 14 etc..)?

Well, as I said it seems to work well with 2.0.7.3. I couldn't make out any problems so far.

Quote:
If you upload a file and something is going wrong, you will see some defines like (just an example) _ER_UP_MIMETYPELOAD instead of the text (because those defines only exist in 2.0.17 in a new file /xoops/language/mylang/uploader.php)

Thx Hervet. So, the file /xoops/language/mylang/uploader.php and some instruction where to put it should really be added to the patch downloads, yes?

There's only the core team which can give you an answer.

Quote:

I considered that with the update.

It appears that this security patch is incomplete to qualify for use with all versions of Xoops. Not a big deal to add the missing file to the download, surely?

This might seem like a silly question but...

I have php safe mode on, and none of my modules are set to allow uploads at all.

Do I need to use this patch?

Or am I safe waiting until xoops 2.0.17.1 comes out (I am using 2.0.16 now)?

Thank you.