Open emanwebdev opened 11 years ago
I think we could do something like that in the oc::clean_request(); why not ;)
i'm currently working on the install.
i'd like to be able to change the name of the dir of the admin back-office
coz on my test websites, got a lot of login attempts to the admin !
i guess bots & attackers look for /admin/ directory.
This directory name is too easy to guess
and we need a protection against successive login attempts
for that we have the CSRF, we can change it to oc-panel if you want, it is going to be like that in v2.0.
But do not do too much effort also do not complicate too much the install in few months v2.0. will be released! :-D
in /admin/settings.php, some changes (more to come) to check TEXTAREA fields, and numeric ones
if ($_POST){
$_POST["SIDEBAR"]=implode(',',$_POST["SIDEBAR"]);// sidebar
// textarea fields to check and clean
$arrTextAreaFields = array('SITE_DESCRIPTION','ANALYTICS','ADVERT_TOP','ADVERT_SIDEBAR','ADDTHIS_CUSTOM','ADDTHIS_SHARE','EMAIL_NEW_ACCOUNT','EMAIL_FORGOT_PASSWORD');
// numeric fields to check and convert to int
$arrIntFields = array('PASSWORD_SIZE','EXPIRE_POST','MIN_SEARCH_CHAR','YTV_WIDTH','YTV_HEIGHT','ITEMS_PER_PAGE','DISPLAY_PAGES','MAX_IMG_NUM','IMG_RESIZE','IMG_RESIZE_THUMB','MAX_IMG_SIZE','PAYPAL_AMOUNT','RSS_SIDEBAR_COUNT','RSS_ITEMS','SITEMAP_EXPIRE','CACHE_EXPIRE,SMTP_PORT');
$succeed=false;
//generating the config.php
$config_content = "<?php\n//Open Classifieds ".VERSION.' '.T_('Config').' '.date("d/m/Y G:i:s")."\n";
foreach ($_POST AS $key => $value){
if ($key!='submit' and $key!='TIMEZONE'){
$value = str_replace('\"', '"', $value);
// if(in_array($key,$arrTextAreaFields)) $value=stripslashes(str_replace("\n", '', $value));// textarea field
if(in_array($key,$arrIntFields)) $value=abs(intval($value));//numeric fields
if ($value==='TRUE') $config_content.="define('$key',true);\n";
elseif ($value==='FALSE') $config_content.="define('$key',false);\n";
else $config_content.="define('$key','$value');\n";
}
}
we can change it to oc-panel
good choice
there are 58 occurrences of admin/ in the whole code
it's impacting 30 files...
we'de better to quickly write a function returning the path to admin
and we can let users change it during the install, hence every installation can have it's own secret path
just a rename to perform at the end of the install :)
but i'm wondering how WordPress does...
everyone knows the path to /wp-admin/
but i guess they have a kind of login protection against repetitive attempts
I dont think they control anything.
yes having a function that returns the path is convenient but as said do not do too much effort. ;)
I dont think they control anything
you're right... KISS as they said :+1:
do not do too much effort also do not complicate too much the install in few months v2.0. will be released
good, but i can't wait :watch:
also do not complicate too much the install
sure, i just make it more robust (++ i found an issue with duplicated '/' in the suggested path, gives paths with duplicated '/' written in the config. Some hosts can't handle it...)
P.S. Do you have an AWeber.com account ?
Can you send me the subscription form code pls
hehehhe
O you found a bug! great! also I know in windows....sucks...
To register the sites I use ocacu.com that I developed myself, so I can count how many installation there are and later to send emails ;)
To register the sites I use ocacu.com that I developed myself, so I can count how many installation there are and later to send emails ;)
ok, you already do the follow up, good for you :)
regarding registration, is it why the website get registered even when the Ocacu checkbox is unchecked?
or another heu... bug.. :dancers:
To register the sites
imho, you should register them ESPECIALLY when installation went wrong
For example, I just try to install a fresh 1.8.3 but as the cache is set to 'auto', the switch in the cache::set_cache_type() match for instance 'Memcache' Because it's installed on the host (i was not even aware of it)
But after installation, everything hang (blank page) coz of course the params given from the constructor are wrong
This is a BIG issue an i guess you have a lot or request about that
Cache should be off during & just after installation
install/index::156
<input type="checkbox" name="OCAKU" value="1" checked="checked" />
with checked="checked" hardcoded
then
install/install.php::48
//ocaku register
if ($install)
{
if ($_POST["OCAKU"] == 1)
always register the website
Good for you :)
Hello,
No it was meant to register only if it was successful...that's a bug :( can you fix it? thanks.
About the cache you are right by default should not be auto, should be filecache, many people faces problems, change it also ;)
regards
No it was meant to register only if it was successful...that's a bug :( can you fix it? thanks.
ok, done
About the cache you are right by default should not be auto, should be filecache, many people faces problems, change it also ;)
ok, TODO
if v. 1.7.6 or so, we don't clean if admin and page settings.php
it was something like this:
now, in bootstrap.php::26
is always called
how can we handle post of custom HTML and Javascript code in admin settings?