Am I right that this was caught within 24h only and fixed in not much more time? At this point I'd like to say "Good work" to whoever contributed to this outcome !!
Excerpts from Charles Campbell's message of Tue Sep 25 16:21:50 +0200 2012: > Um, that isn't what I said, or at least not what I intended to say. So, > I'll break it down a bit: I agree that it might solve a lot of this problem - and that it would make it a lot harder for people to upload such files. The interesting question is: Why are they uploaded? What are their purpose? Possible: - they want to hack www.vim.org (and hack customer browsers and machines) - they want to upload data which they use to steer other bots (eg some IP addresses hidden in some images) - intentionally upload bad scripts installing viruses which harm your computer. (Did this ever happen in the past?) The files contained <?php code which makes me think they tried to hack the server (eg my using memory corruption or the like in some strange tiff libraries or whatsoever). However it could be a fake, and their target are other code on client machines - who knows? If they want to hack www.vim.org - As maintainer of VAM I also see that quite a lot of VimL code is happily distributed on github only without being uploaded to www.vim.org. For a long time I have in mind making the www.vim.org distribution process simpler, eg only provide a github url once, and then let www.vim.org poll updates every 3 days or so. If we started reviewing coders/ code/ uploads - this would mean that there was a strong reason propagating using www.vim.org as source. vim-addon-manager-known-repositories could serve a similar purpose - and I'd love to see this all being part of www.vim.org. Lack of time (and not wanting to use PHP for new work) prevented me from finishing new proposals. > (I can't return the favor to post this as if it were from you because > GSFC's outgoing system won't let me :| Just rent any virtual server (there are services even allowing you to do so for a couple of hours) - *ignore their terms of service* - and here you go - setting up a SMTP mailer is enough. What can you do against such? There are different ways to sign or even encrypt emails. This way you can proof an origin of an email. Wikipedia lists them all. Marc Weber -- You received this message from the "vim_use" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php
