News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Look But No Read - removed for security - I want to fix it

Started by Deprecated, May 09, 2016, 09:38:52 PM

Previous topic - Next topic

Deprecated

This was a very popular mod until it was recalled, not because it didn't do its job but because it had a security flaw: The posts leaked through the Info Center.

Link to original discussion topic: http://www.simplemachines.org/community/index.php?topic=256206.0

The basic problem is that the mod did all it pomised: you could view the topic index but you had to join and become a member to actually read the topics. This enticed guests who wanted to read the topics to join your forum. It was a magnet to make people want to join.

The flaw: It got taken down because of a "securty risk" which meant more or less you could access the thread from the information center.

This wasn't a serious security risk (IMO) but it was a way around viewing topics that you were supposed  to "Look but no Read." I won't argue what "security" means, but the mod had a flaw that it didn't deliver on. You could read the threads if you saw them on the Information Center. You could read the topic without joining.

It was a very popular mod and I would like to return it to 2.0.11 and fix its flaws.

What I am asking for is information on how I can modify the InfoCenter and exclude some boards.

My idea is to simply exclude LBNR sections from the Information Cener. That fixes the security flaw and I can verify this mod is 2.0.11 compatible and re-release it.

But here is what I am asking: How can I exclude specific boards from being shown in "recent topics" in the Information Center?

Illori

looks like the issue at hand is not really in the info center. you might want to review the PM sent to you from the cust team several years ago to figure out what has to be fixed.

Deprecated

Okay, thanks! ... This?
Quoteaction=recent
action=profile;area=showposts;u=245528
action=printpage;topic=255458.0

There were a few more PMs that stated "you do not have access" or something like that...

Okay gotta fix that part, but I'm still trying to figure out how to remove boards from the Information Center for both LBNR and also a forthcoming new mod. I don't want the LBNR topics to show in the Info Center, or maybe put it under an option.

I guess it's back to the documentation === code for me. :)

I pity anybody who looks at SMF's code for the first time. Has anybody ever died from that? ROFL! :)

Illori

those that is what i see as the reason the mod was removed. the info center was not mentioned at all.

Deprecated

Thank you. I will work on solving those problems.

I know the Information Center was not mentioned but I wanted to remove topics from specified boards for this and another mod. Perhaps I should start a new topic and not mention LBNR.

I go read de code now. :D

coltp45


Arantor

So, they need to be excluded in action=recent, print topic, show posts, show topics, XML feeds (all the types), and hope none of your users have a portal where again this information typically leaks.

Or of course we could just not hide content from potential users.

Tony Tran

I have the same issue too and expect it will be fixed soon enough.

oOo--STAR--oOo

If I fixed this mod, I wouldn't be able to upload it, as you're not allowed to only the author, I think the polices need to be changed on this. The mod should go back into review and this allows people to commit new changes to the mod.

I think I used one of Arantors mods to add board permissions that is old and doesn't work.. But I have edited this mod heavily to work and also fixed the relevant security issues where people could gain access to the topics through other sections on the forums, so I know too well about these issues. I still use this mod today and I am going to be rewriting it to be more optimised for the new forum I am designing, its a great mod Arantor, you really should update it!

I have been busy in and out of university doing all sorts of things, so maintaining something is not easy for me as my workload is massive and now and again I get spurts of free time where I like to code new things.

Is there a fast way to look for changes in source and create a script for an installer package? Find/Insert/replace?
You can't fool a sufficiently talented fool.

http://www.uniquez-home.com
In Design Phase!

Mods I am designing,  No refresh Collapse Categories , Poll Redesign , Pure CSS Breadcrumb , Profile Statuses, Profile Views.

Arantor

Eh, 2.1 lets you do everything that mod did. Also, your entitlement is showing again, it's a mod I never used myself and have zero interest in updating.

Suki

Quote from: aljo1985 on July 21, 2016, 02:34:19 AM
If I fixed this mod, I wouldn't be able to upload it, as you're not allowed to only the author, I think the polices need to be changed on this. The mod should go back into review and this allows people to commit new changes to the mod.



Just need to address this.

There is no policy, this isn't something SMF can control or has control over it. Code belongs to whoever wrote it or to whoever has the rights for it.

Its all about license and licensing a piece of code, if the mod has a suitable license then anybody can take the mod and update it as long as the updated code fully complies with the mod's license restrictions.  If a mod has no license it falls back to an "all rights reserved" type of license which of course protects the code author's rights and ownership of the code.

The only thing SMF has control over its the modsite, if someone wants to take over a mod from somebody else, both parties has to agree on the change. If for some reason the original mod author is gone then each case is reviewed and act accordingly.  Do note that this solely concerns the mod been hosted on the modsite, it has nothing to do with the mod's ownership or any other copyright laws.



Quote from: aljo1985 on July 21, 2016, 02:34:19 AM
Is there a fast way to look for changes in source and create a script for an installer package? Find/Insert/replace?

You can use a diff patch and create a package from it.
Disclaimer: unless otherwise stated, all my posts are personal and does not represent any views or opinions held by Simple Machines.

oOo--STAR--oOo

Quote from: Suki on July 21, 2016, 09:44:06 AM
Quote from: aljo1985 on July 21, 2016, 02:34:19 AM
If I fixed this mod, I wouldn't be able to upload it, as you're not allowed to only the author, I think the polices need to be changed on this. The mod should go back into review and this allows people to commit new changes to the mod.



Just need to address this.

There is no policy, this isn't something SMF can control or has control over it. Code belongs to whoever wrote it or to whoever has the rights for it.

Its all about license and licensing a piece of code, if the mod has a suitable license then anybody can take the mod and update it as long as the updated code fully complies with the mod's license restrictions.  If a mod has no license it falls back to an "all rights reserved" type of license which of course protects the code author's rights and ownership of the code.

The only thing SMF has control over its the modsite, if someone wants to take over a mod from somebody else, both parties has to agree on the change. If for some reason the original mod author is gone then each case is reviewed and act accordingly.  Do note that this solely concerns the mod been hosted on the modsite, it has nothing to do with the mod's ownership or any other copyright laws.



Quote from: aljo1985 on July 21, 2016, 02:34:19 AM
Is there a fast way to look for changes in source and create a script for an installer package? Find/Insert/replace?

You can use a diff patch and create a package from it.

Lol sue me :) Understood, I see that as valid and etiquette. I mean I have some scripts for checking for changes, I mean do you have an auto parser that will create the inserts for me based on the differences already made or would I need to code something specifically for that? Just wondering if one is already made/available.

Without sounding like I am entitled, I have an opinion for a devised police that allows users to get more from SMF. As in, an agreement could be written that all developers can agree to that enables inactive mods to be patched to work for current SMF versions based on popular demand for a specific mod.

The agreement should be something like, if you are inactive/unable and there is a demand to fix/patch a modification that has been submitted to SMF, you allow us to apply any patches "only" to the modification submitted ensuring that you also retain full copyright to your source. I don't really see any discrepancies with this and I think it is fair and would allow users to get a better experience from developing their forum to their custom needs/wants. This could be introduced as an option where a user is submitting a mod, they could either opt into this agreement or choose not to. It won't affect their ability to submit modifications.

I know this will never happen, but you know, I'll throw the suggestion out there anyway! Because there are people like me, who could simply run through their code and simply get it fixed with relative ease!
You can't fool a sufficiently talented fool.

http://www.uniquez-home.com
In Design Phase!

Mods I am designing,  No refresh Collapse Categories , Poll Redesign , Pure CSS Breadcrumb , Profile Statuses, Profile Views.

Kindred

Already answered...  if the license allows it, that can be done. If no license was specified, then you can not. Petiod.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Irisado

Off topic/spam posts have been removed.  Please stay on topic.  Thank you.
Soñando con una playa donde brilla el sol, un arco iris ilumina el cielo, y el mar espejea iridescentemente

Advertisement: