We are moving to Git Issues for bug tracking in future releases. During transition, content will be in both tools. If you'd like to file a new bug, please create an issue.

Bug 4023 - TinyMCE's iBrowser plugin fails
TinyMCE's iBrowser plugin fails
Status: RESOLVED FIXED
Product: OHS
Classification: Unclassified
Component: Plugins
2.3
PC Mac OS X 10.3
: P5 enhancement
Assigned To: PKP Support
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-26 13:51 PST by Matthew Crider
Modified: 2009-02-18 14:46 PST (History)
1 user (show)

See Also:
Version Reported In:
Also Affects:


Attachments
Patch against PKP pre-2.3. CVS (1.12 KB, patch)
2009-01-26 13:51 PST, Matthew Crider
Details | Diff
Patch against PKP pre-2.3. CVS (1.32 KB, patch)
2009-01-26 16:28 PST, Matthew Crider
Details | Diff
Additional patch against PKP pre-2.3 CVS (2.30 KB, patch)
2009-02-18 14:43 PST, Matthew Crider
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Crider 2009-01-26 13:51:06 PST
Created attachment 1358 [details]
Patch against PKP pre-2.3. CVS

Harvester doesn't ship with a 'site' directory in the public directory (like OJS and OCS), so when opening the iBrowser plugin, it fails creating an image directory within the public/site/ directory and crashes.  We could ship harvester with a site directory, or use this patch to force iBrowser to create one.
Comment 1 Alec Smecher 2009-01-26 13:54:14 PST
I'd suggest creating a "site" directory for the Harvester to ship with. Matt, it's probably also worth a quick double-check for security concerns, since this will allow arbitrary users to upload files onto the server. Are there limits e.g. on file size and number? Can users upload "dangerous" file types e.g. .php scripts?
Comment 2 Matthew Crider 2009-01-26 14:50:08 PST
Only files with valid image extensions can be uploaded (i.e. it does an extension check, not a filetype check).  I'm not sure about the security implications of this--I was able to upload a php script with a '.jpg' extension but I'm not able to execute it over the web.  File size limits are, AFAICT, equal to the global filesize setting.
Comment 3 Alec Smecher 2009-01-26 14:52:23 PST
Matt, that can still be risky depending on the file permissions the file gets and whether or not the server will execute depending on a check of the MIME type. Best to add code to check the mime type as well (as the rest of OJS does).
Comment 4 Matthew Crider 2009-01-26 16:28:36 PST
Created attachment 1359 [details]
Patch against PKP pre-2.3. CVS

Alec, shall I add the relevant empty directories to harvester2-devel's CVS?
Comment 5 Alec Smecher 2009-01-26 17:09:56 PST
Yes, please do.
Comment 6 Matthew Crider 2009-01-26 18:01:54 PST
I've added the 'site' directory to CVS.  I'll put a note in the forum post for the beta release.
Comment 7 Alec Smecher 2009-02-03 15:25:04 PST
Matt, if this is fixed and committed, go ahead and close.
Comment 8 Matthew Crider 2009-02-03 15:36:56 PST
Fixed.
Comment 9 Matthew Crider 2009-02-18 14:43:29 PST
Created attachment 1462 [details]
Additional patch against PKP pre-2.3 CVS

Fixes MIME type check and also enforces valid image file extension types.
Comment 10 Alec Smecher 2009-02-18 14:44:42 PST
Looks good, Matt; go ahead and commit.
Comment 11 Matthew Crider 2009-02-18 14:46:05 PST
Fixed.