test report for SJSB bridge: smfmod can't be installed

Started by baijianpeng, June 06, 2008, 04:31:58 AM

Previous topic - Next topic

baijianpeng

hi, iwoody,

Thank you for letting us sharing the SJSB bridge for Joomla! 1.5.x and SMF 2.x.

Today I tested this bridge on my Joomla! 1.5.2 with SMF 2b31p version (downloaded from SMF site without any change).

I can install the component and the module easily. But when I try to install the smfmod at the admin side of SMF, there is an error message saying:

QuoteThe package you are trying to download or install is either corrupt or not compatible with this version of SMF.

I don't know what format should I input in the field of "SMF absolute path", H:\xampp\htdocs\smf2\ or H:\xampp\htdocs\smf2 ? I mean, should I keep the last slash ?

Another problem is, there is a parameter at the backend of SJSB bridge component which asks for "Custom ItemID", and the default value is -1. I don't know what should I do with this field.

I tried to install the smfmod manually and then created a frontend menu through the SJSB component to view the default forum page. But when I click this menu at frontend, I got a blank page in FireFox browser.

However, I believe SJSB is a good bridge which can really work since I had seen the demo on your website. Then I hope you will add multi-language support to this bridge component so that I can offer you a Chinese translation.

Thank you very much.

baijianpeng
JoomlaGate: The way to the World of Joomla!

http://www.joomlagate.com

ilwoody

Hello!

thanks Baijianpeng! you win the "first bug reporter" title :)

The smfmod 1.0.3 package is broken, sorry to have not tested the installation before releasing it.. wops! still you should be able to see stuff even without this package installed

I wrote some installation notes
http://code.google.com/p/sjsb/wiki/Installation

The custom id, is the id on the right column in the menu item manager, see the screenshot, its needed to properly make the link to your wrapped forum from the mod_sjsb package (the SSI wrapper)

Ill get back to you with a proper smf package soon, meanwhile could you please move this discussion over here ? thanks

http://groups.google.com/group/sjsb

Simple Joomla! 1.5.x / SMF 2.x bridge - ver 1.0.14 alpha 26/03/2009
http://code.google.com/p/sjsb/
--
Support: http://groups.google.com/group/sjsb
Bugs:  http://code.google.com/p/sjsb/issues/list
Live: http://www.youpokeme.com/sjsb/

Orstio

Your mod removes this (comments it out) from obExit:

       // Don't exit if we're coming from index.php; that will pass through normally.
       if (!$from_index || WIRELESS)
               exit;


Which means that ANY registered user could gain access to your SMF admin panel.

Orstio

Your mod also removes the security fix from Subs-Auth.php to ensure that sessions don't get stolen.


ilwoody

Quote from: Orstio on June 06, 2008, 07:31:38 AM
Your mod removes this (comments it out) from obExit:

       // Don't exit if we're coming from index.php; that will pass through normally.
       if (!$from_index || WIRELESS)
               exit;


Which means that ANY registered user could gain access to your SMF admin panel.

actually I do throw an exception to catch it from joomla, this way you should be able to exit properly still wrapping the forum inside joomla; I'll add a test for php > 5 otherwise Ill just exit (like the original code)
the patch is

https://www.develer.com/gitweb/pub?p=users/woody/sjsb/.git;a=blob;f=smfmod/patches/smf20_throwexception;h=42a9c377a520f74bf0738090bfff289343a395f3;hb=HEAD



diff -r 0ea73cb6f910 smf20/SSI.php
--- a/smf20/SSI.php Sat Apr 19 23:54:12 2008 +0200
+++ b/smf20/SSI.php Sun Apr 20 00:04:26 2008 +0200
@@ -162,10 +162,17 @@
if (isset($_GET['ssi_function']) && function_exists('ssi_' . $_GET['ssi_function']))
{
call_user_func('ssi_' . $_GET['ssi_function']);
+
+ // Joomla will catch the execption
+ throw new Exception("AIUTO");
exit;
}
if (isset($_GET['ssi_function']))
+{
+ // Joomla will catch the exception
+ throw new Exception("AIUTO");
exit;
+}
// You shouldn't just access SSI.php directly by URL!!
elseif (basename($_SERVER['PHP_SELF']) == 'SSI.php')
die(sprintf($txt['ssi_not_direct'], $user_info['is_admin'] ? '\'' . addslashes(__FILE__) . '\'' : '\'SSI.php\''));
@@ -1944,4 +1951,4 @@
</table>';
}

-?>
\ No newline at end of file
+?>
diff -r 0ea73cb6f910 smf20/Sources/Subs.php
--- a/smf20/Sources/Subs.php Sat Apr 19 23:54:12 2008 +0200
+++ b/smf20/Sources/Subs.php Sun Apr 20 00:04:26 2008 +0200
@@ -2732,7 +2732,11 @@

// Don't exit if we're coming from index.php; that will pass through normally.
if (!$from_index || WIRELESS)
- exit;
+ {
+ // Lets throw an exception that joomla can catch
+ throw new Exception("AIUTO");
+ //exit;
+ }
}

// Usage: logAction('remove', array('starter' => $id_member_started));
@@ -3902,4 +3906,4 @@
if (!$user_info['is_guest'] && $context['user']['unread_messages'] > 0 && isset($context['menu_buttons']['pm']))
$context['menu_buttons']['pm']['title'] .= ' [<strong>'. $context['user']['unread_messages'] . '</strong>]';
}
-?>
\ No newline at end of file
+?>
Simple Joomla! 1.5.x / SMF 2.x bridge - ver 1.0.14 alpha 26/03/2009
http://code.google.com/p/sjsb/
--
Support: http://groups.google.com/group/sjsb
Bugs:  http://code.google.com/p/sjsb/issues/list
Live: http://www.youpokeme.com/sjsb/

ilwoody

Quote from: Orstio on June 06, 2008, 07:47:53 AM
Your mod also removes the security fix from Subs-Auth.php to ensure that sessions don't get stolen.



yes Im not happy about this hack either, but atm this is my best solution to keep the joomla user logged in; I need to find a way to move a joomla user from one session id to another yet.. next version hopefully :)

Thanks Orstio for your reviews! very much appreciated
Simple Joomla! 1.5.x / SMF 2.x bridge - ver 1.0.14 alpha 26/03/2009
http://code.google.com/p/sjsb/
--
Support: http://groups.google.com/group/sjsb
Bugs:  http://code.google.com/p/sjsb/issues/list
Live: http://www.youpokeme.com/sjsb/

Orstio

Quoteactually I do throw an exception to catch it from joomla, this way you should be able to exit properly still wrapping the forum inside joomla; I'll add a test for php > 5 otherwise Ill just exit (like the original code)
the patch is

Yes, PHP 4 won't accept the exception.

Do you exit in Joomla, or let it fall through normally?  My concern is that on the admin login, for example, if it falls through, the output buffer will be flushed and reach the browser when PHP exits normally.

ilwoody

Quote from: Orstio on June 06, 2008, 05:37:42 PM
Quoteactually I do throw an exception to catch it from joomla, this way you should be able to exit properly still wrapping the forum inside joomla; I'll add a test for php > 5 otherwise Ill just exit (like the original code)
the patch is

Yes, PHP 4 won't accept the exception.

Do you exit in Joomla, or let it fall through normally?  My concern is that on the admin login, for example, if it falls through, the output buffer will be flushed and reach the browser when PHP exits normally.

I get the buffer, rewrite the urls and then I let it fall through normally, joomla adds its own layout and it reach the browser.
If I got it properly the use of exit is just to avoid SMF to call "privileged" code when the user has not access to it, but the buffer generated immediately before the exit function reach the browser anyway no ? because if it doesn't then the integration is vulnerable and I would need to apply the fix I wrote you in a pm or at least separate "safe exit" (which can reach the browser) from "unsafe exit" (that can not reach the browser).

 
Simple Joomla! 1.5.x / SMF 2.x bridge - ver 1.0.14 alpha 26/03/2009
http://code.google.com/p/sjsb/
--
Support: http://groups.google.com/group/sjsb
Bugs:  http://code.google.com/p/sjsb/issues/list
Live: http://www.youpokeme.com/sjsb/

ilwoody

Quote from: baijianpeng on June 06, 2008, 04:31:58 AM
QuoteThe package you are trying to download or install is either corrupt or not compatible with this version of SMF.

the package was broken, you can download the latest version, it fixes that problem

Quote
I don't know what format should I input in the field of "SMF absolute path", H:\xampp\htdocs\smf2\ or H:\xampp\htdocs\smf2 ? I mean, should I keep the last slash ?

last slash is not needed, I do append it for you by code :)

Quote
Another problem is, there is a parameter at the backend of SJSB bridge component which asks for "Custom ItemID", and the default value is -1. I don't know what should I do with this field.

http://code.google.com/p/sjsb/wiki/Step1
;)

Quote
I tried to install the smfmod manually and then created a frontend menu through the SJSB component to view the default forum page. But when I click this menu at frontend, I got a blank page in FireFox browser.

the bridge doesn't support compressed output, could you please check if you have enabled it on your smf admin panel ?

Quote
However, I believe SJSB is a good bridge which can really work since I had seen the demo on your website. Then I hope you will add multi-language support to this bridge component so that I can offer you a Chinese translation.

hopefully it will get better and better, atm its buggy and vulnerable :(
Simple Joomla! 1.5.x / SMF 2.x bridge - ver 1.0.14 alpha 26/03/2009
http://code.google.com/p/sjsb/
--
Support: http://groups.google.com/group/sjsb
Bugs:  http://code.google.com/p/sjsb/issues/list
Live: http://www.youpokeme.com/sjsb/

Orstio

QuoteIf I got it properly the use of exit is just to avoid SMF to call "privileged" code when the user has not access to it,

No, actually the exit is there to prevent the buffer from getting flushed.

By default, PHP flushes* any buffer output that exists at script end.  What that means is that before PHP exits normally, it looks for any open buffers and sends the output of those buffers out to the browser.  SMF's exit is there to prevent this from happening when the buffer contains priveleged information.



*Flushing in terms of output buffering is similar to flushing a toilet.  Imagine that the site is a toilet, the buffer is something floating in the toilet, and the browser is the sewer.  When the buffer is flushed, it ends up in the browser. ;)

baijianpeng

Quote from: ilwoody on June 06, 2008, 07:54:38 PM
the bridge doesn't support compressed output, could you please check if you have enabled it on your smf admin panel ?

This maybe exactly the problem, I alwasy enable gzip compression to speed up the website. I will test this with new v1.0.4 bridge.

Thanks to ilwoody !
JoomlaGate: The way to the World of Joomla!

http://www.joomlagate.com

Advertisement: