Community
Participate
Working Groups
I am researching the conversion and have some questions on approach.
There are many people pages. Q: How frowned upon are URLs with parameters? Can we use something like /webtools/people/person.php?name=bfraser and dynamically serve up a Phoenix page from bfraser.xml ? Or is it better to generate a static php page for each name? eg. bfraser.php This would mean we would still have to run the build.xml.
Denis (the Eclipse webmaster) expressed concern over accepting parameters. I believe another project was doing this and it was exploited by an attacker. In general, I think as long as you perform sufficient checking on the parameter it will be fine. Accepting "bfraser" and having a table that maps that value to braser.xml (not simply appending .xml to the name given though, actually mapping to a completely separate file name so "bfraser" is simply a key in a table) with a suitable default for invalid entries will probably work.
Thanks for the input Lawrence. I was considering "cleaning" the input string with a search/replace that only allowed alpha characters (ie. no .. or / etc) Oh and keep '-' so we don't lose Bjorn :) Are there other exploits to worry about with this approach?
I checked in the first part of the Phoenix conversion for the people pages. To get a Phoenix page of someone invoke as follows: /webtools/people/person.php?name=<lastName> (without the <> of course) I have done the following to avoid any PHP exploits 1) Used the getHTTPParameter function recommended here: http://wiki.eclipse.org/index.php/Using_Phoenix#Using_HTTP_Parameters 2) Filtered the input against a white list. Only a-z and '-' is allowed. 3) '.xml' is appended and we look for the xml file in the local directory. Only if we find a valid file do we proceed. 4) The argument is never used again. All output is driven from the XML and XSLT files. I invite all peer review of this. Thanks Bob
Added /webtools/people/main.php to generate an index page of contributors Added /webtools/people/contributors.php to generate the activity index Fixed all cross references between pages Try it out and click around Last step if we all like it is to do the redirects
WebMaster, I have a php page that takes an http parameter and I want to make sure everything looks secure. Can someone please take a look at this? Comment #4 has all the details. Thanks, Bob Fraser Web Tools Website committer
This looks good to me. Thanks for asking.
Cut over to Phoenix enabled people pages. Added html redirects. Almost done. Need to figure out how to handle the redirects of the individual people pages or just leave them.
Decided to leave the old html pages. Haven't been able to come up with a nice way to generate the ~90 redirect files. Came close but one XSLT genereating multiple html files doesn't work for me. So I think we are done. Resolving as fixed.
Added the HTML redirects anyway. The xslt transform assumes the basename of the xml file is the same as person/name/family-name in lowercase. This was true for the files I checked, but may not always be a safe assumption. This should not be a problem, since we shouldn't need any new redirects. People should start using the new php form of the URL.
Closing
