I guess it’s time I get involved again. J I am TheWalrus. (Goo goo g’joob.)
We have been using the clean URLs patch for quite a while now, probably at
least six months. I have yet to experience any problems wrt the clean URLs
patch. Also, since I’m in the computer security business, I convinced myself
the patch (and .htaccess file) was correct and did not affect security. I’ve
also scanned PP with a commercial web-app scanner and it didn’t find any
problems related to the clean URLs. It also didn’t find anything that offended
my security consciousness enough to go fix, as I recall. :D
So what happened to Ryan? I guess I got real busy at work and kind of dropped
off the project for a bit, but I thought he was still leading it. I’m glad to
see some movement on it now!
--
===================
Brett Edgar, CISSP, CSSLP
True Digital Security, Inc./DESA Research, LLC.
[email protected]
<mailto:[email protected]>
866.430.2595 x 103
www.truedigitalsecurity.com <http://www.truedigitalsecurity.com>
From: Timothée Boucher [mailto:[email protected]]
Sent: Friday, May 01, 2009 5:25 PM
To: [email protected]
Subject: Re: [PP-dev] Roadmap for 0.8.5 discussion
Hi Jon,
I'll be honest, I forgot some of the details of what I did, but after looking
over the last patch I submitted, I can tell you that I added the detection in
the installation steps, so that if mod_rewrite is not loaded (through
apache_get_modules(), so should work if not using Apache), the checkbox is
disabled. If mod_rewrite is loaded, it doesn't set it automatically though.
At this point, I left this configuration option inside config/config.php so
that it can be changed manually at will. (including in case of problems)
To sum up:
mod_rewrite loaded => checkbox allowed*
checkbox checked => option CLEAN_URL set to true in config/config.php
when a URL is created, it checks for that option. If false, it stays as it is
right now.
But I share your concern about the slight risks included with this. For one
thing, I never tested it with another web-server than Apache (partly because I
didn't have access to IIS for example, partly because the current PP
requirements say to use Apache :) )
Also, if anybody is familiar with .htaccess files, I'd be very happy if you can
have another look on this.
Regarding bugs, I would say that for my use, it didn't bring up any problem
(confirmed by TheWalrus as well). However, I don't use every feature, so I
might have literally worked around a bug without knowing it.
All in all, I'm pretty sure it works fine (Apache or not), but the fact that it
was over a year ago lowers my confidence a little. I'll have another look
myself but, once again, an exterior critical look would be welcome.
Cheers,
Tim
* I realize that there is a potential though quite unlikely bug: loading the
page with mod_rewrite on, checking the box, reloading the install page and
disabling mod_rewrite, checkbox staying on and saved in the config file...
On Fri, May 1, 2009 at 2:49 PM, Jon DeGenova <[email protected]> wrote:
Hi Tim,
Yes, that's definitely worth considering, if not for this version then for the
next. My concern would be installation. I suppose some people are running PP
on IIS or other non-Apache systems or don't have mod_rewrite installed. Do we
say it's available in the installation documentation but must be activated
manually or do we try to detect mod_rewrite during installation and activate it
automatically if the system supports it? It sounds like you've been using it
for a while and are comfortable that there aren't any bugs?
-Jon
Timothée Boucher wrote:
Hi Jon,
thanks for the detailed email.
I'll try to have a look at the patches you mentioned and see if I can add to
the validation of some of them.
If I may add something, one patch I would like to see included is the one for
clean URLs <http://www.projectpier.org/node/760> (à la
http://yourserver.net/13/message/view/4/ instead of
http://yourserver.net/index.php?id=4&c=message&a=view&active_project=13).
Granted I'm the one who submitted it and am thus guilty of self-promotion :).
But after having installed PP without it for dev purposes, I miss having it.
No worries if you're set on the list though. It's only a "patch -p0" away
Cheers,
Tim
On Sun, Apr 19, 2009 at 6:39 PM, Jon DeGenova <[email protected]> wrote:
I would like to propose the follow roadmap for version 0.8.5 of ProjectPier.
This is open for discussion, so don't be shy about replying with your opinion.
Each item listed below includes a status, description and a link back to the
item on projectpier.org where you can get more detailed information. The list
is broken down into items that will be included for certain (items that are
basically already done), items that will be done if they pass Beta 2 testing
(again items mostly already done, they just need to be tested and tweaked), and
the last category are items that are only going to get done if someone steps
forward and takes ownership by replying back to this email by the end of the
month. If you take ownership of an item you don't have to work on it alone,
you just need to drive the issue and make sure a tested patch is submitted. If
your patch doesn't fully work by the deadline then we just push that item back
to the next release - no harm done.
As I've already stated on the blog, I would like to finalize this roadmap by
the end of April, so your quick attention is very much appreciated.
------
Goals
------
This release will concentrate specifically on cleanup of bugs that have already
been reported. The one major new feature being added is a calendar view of
milestones.
--------
Timeline
--------
30-May-09 - Beta 1 release, incomplete features.
27-Jun-09 - Beta 2 release, feature freeze.
18-Jul-09 - Release Candidate 1
8-Aug-09 - Final Release
--------------------------------
Items to be included for certain
--------------------------------
Status: Committed to SVN, requires final validation.
If you have a milestone set for the next or the previous day, it will say "one
days" instead of "one day"
http://www.projectpier.org/node/685
Status: Committed to SVN, complete.
Typo: "created new account for you" Should be "created *a* new account for you"
(in the notification email)
http://www.projectpier.org/node/506
Status: Committed to SVN, requires final validation.
No email notification when comments added with 0.8.0.2
http://www.projectpier.org/node/721
Status: Committed to SVN, requires final validation.
Cookies not expiring when the browser closes
http://www.projectpier.org/node/843
Status: Committed to SVN, requires final validation.
Added a calendar view of milestones
http://www.projectpier.org/node/28
Status: Committed to SVN, requires final validation.
If you add several times the same tag to an object, the list is not reduced to
the minimum set of tags. Besides being redundant, that means that the object is
listed twice on the tag page.
http://www.projectpier.org/node/797
Status: Committed to SVN, requires final validation.
GIF format company logo with transparency does not display properly
http://www.projectpier.org/node/743
Status: Needs committed.
File names like changes.txt, readme.txt, license.txt & upgrade.txt should be
capitalized per the Code Standards.
http://www.projectpier.org/node/1262
Status: Patch needs committed, then final testing as part of the next build.
The pagination for searching doesn't work right.
http://www.projectpier.org/node/1038
------------------------------------------------
Items to be included if they pass Beta 2 testing
------------------------------------------------
Status: Patch needs tested.
Private messages should default to private comments. Currently if you comment
on a private message, the comment is *not* private by defalut.
http://www.projectpier.org/node/1237
Status: Patch needs reviewed
Users can download files from projects they are not assigned to by manipulating
the URL.
http://www.projectpier.org/node/437
Status: Patch needs reviewed
User can manipulate URL to view projects they are not assigned to
http://www.projectpier.org/node/1044
Status: Patch needs reviewed
When non-company users trying to attach files to message comments - they can't
do it.
http://www.projectpier.org/node/719
Status: Patch needs reviewed
http://www.projectpier.org/node/294
Problems with file upload under linux
Status: Patch needs code review
Files were being downloaded with a leading " in the name.
http://www.projectpier.org/node/1355
Status: Patch needs code review
User getting an error when trying to install the latest stable version. Found
out the solution to it is that its 'GMT' on line 17, instead on 'gmt'.
http://www.projectpier.org/node/1250
Status: Patch needs code review
When you try and comment on a file you are presented with a blank page instead
of redirected to the file.
http://www.projectpier.org/node/1228
Status: Patch needs code review
When tasks are displayed, they lose formatting (paragraphs and line breaks).
http://www.projectpier.org/node/260
Status: Patch needs code review
At the some places local db_link is omitted, fixed occurrences of lost variable
http://www.projectpier.org/node/720
Status: Patch needs code review
When a transparent PNG is uploaded for a company logo the transparency is be
replaced by a solid dark color.
http://www.projectpier.org/node/1113
------------------------------------------------------------------------------
Items to be included if a developer volunteers to take ownership by April 30th
------------------------------------------------------------------------------
Status: Patch needs code work
On the dashboard of overview, the "Today" and "yesterday" events are timeshifted
http://www.projectpier.org/node/646
Status: Patch code needs work
RSS Item description not being generated
http://www.projectpier.org/node/1049
Status: Patch code needs work
RSS Feed affects user activity. Although a user has not been logged in for
several hours they are listed under 'active over the past 15 minutes' on the
dashboard of other users because they are accessing the RSS feed.
http://www.projectpier.org/node/493
Status: Logged, coding needed! HIGH IMPORTANCE!
Private messages linked to milestone: Subject line is not private. When you
attach a private message to a milstone (private meaning for company memebers
eyes only), members of *client* companies can still see the subject line of the
message.
http://www.projectpier.org/node/1157
Status: Logged, coding needed! HIGH IMPORTANCE!
Private task lists are not really hidden. When you declare a task list as
hidden AND assign it to a milestone, its title still shows up within the
milestone it was assigned to. When a client clicks on the title he gets the
message: "You don't have permissions to access requested page". A private task
list should be completely hidden (including title).
http://www.projectpier.org/node/123
Status: Patch needs code work
The current icon the denotes a comment is private is small and not always
noticed. A patch will be made to make private comments more noticeable.
http://www.projectpier.org/node/1238
Status: Needs coded!
The system administrator should be able to change a setting so that all
messages default to private.
http://www.projectpier.org/node/1258
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Projectpier-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/projectpier-development
________________________________
------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations
Conference from O'Reilly Media. Velocity features a full day of
expert-led, hands-on workshops and two days of sessions from industry
leaders in dedicated Performance & Operations tracks. Use code vel09scf
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
________________________________
_______________________________________________
Projectpier-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/projectpier-development
------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations
Conference from O'Reilly Media. Velocity features a full day of
expert-led, hands-on workshops and two days of sessions from industry
leaders in dedicated Performance & Operations tracks. Use code vel09scf
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
_______________________________________________
Projectpier-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/projectpier-development
------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations
Conference from O'Reilly Media. Velocity features a full day of
expert-led, hands-on workshops and two days of sessions from industry
leaders in dedicated Performance & Operations tracks. Use code vel09scf
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
_______________________________________________
Projectpier-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/projectpier-development
