[0.7.5] Undefined index in manageuser.php

[kneekoo]

The following happened when English is not the selected locale in the user's profile:

Notice: Undefined index: id in manageuser.php on line 172

I tested it with Romanian, Spanish, Portuguese, Bulgarian and 2-3 others. All bring up the same issue.

[Philipp]

dont use E_STRICT on production servers

[kneekoo]

Thanks for the reply but please don't leave undefined variables. It's an invitation for hackers, let alone the temptation of grabbing unprotected project files. I don't mean this the wrong way, I love what you did with Collabtive so far, but after you get hacked a few times and lose data you are quite tempted to avoid any other headaches.

It's open source and no matter how you configure PHP on a production server, while everyone knows these issues it's easy to exploit them. For the record, I installed Collabtive on my PC but I will certainly wait for an update until I install it on a production server.

[Philipp]

Please elaborate how you think and undefined index, that seems to happen when a language file contains empty entries, is a security issue.
It isn't.

Also, there is no way Collabtive can prevent files from being downloaded from the server without the webserver being configured in a certain (non-default) way.
As soon as you allow public-reading access to the folder where the server stores the files (this is the default on apache) - there is no such thing as "file security" anymore. Many (shared / virtual) Webhosting accounts won't even allow you to configure your server in such a way that file security is possible.
Because anyone who can guess a file name can then simply download it directly from the webserver.

All we could do would be making it somewhat harder to to download any files directly (by not publishing their URLs in the Collabtive UI).
But this would be nothing more than "security by obscurity". Because as long as the webserver allows any user to download the files - you can always try to guess their URLs and download them directly from the server.

There's nothing Collabtive can do about this.
If you are going to wait for this fix - you will have to wait a very long time.

[kneekoo]

Fortunately, in this particular case there's no security threat in that undefined variable. But I definitely didn't expect "don't use E_STRICT on production servers" because whatever the status, the bug still needs to be fixed. If it wasn't obvious to me, as a web developer, that this project is quite elaborate, I could've said you're some ignorant PHP newbie. I'm sure you know what I mean and reading your other input in the other threads it's now clear that you actually pay attention to us, naggers. So thank you!

Regarding the security of the project files it's more than black and white. Sure, some people don't understand the importance of setting Options -Indexes on a web server (regardless if dev/prod), some might not know how to use chmod, chown and mod_access to their advantage, or that Collabtive renames the uploaded files, but the fact is Collabtive offers direct links to the files, so anyone with access can copy/paste these links and unauthenticated people can hotlink/access them freely. The least we should have in Collabtive is a special php file that offers access to the project files based on credentials - something like getProjectFile.php?id=123. You know the rest. Then, as a second security feature Collabtive could try to create a .htaccess with deny from all as the default policy for the upload directory. But even getProjectFile.php alone would be a good improvement and I hope you'll find some time to make this happen, hopefully soon.

[some person]

Regarding the security of the project files it's more than black and white. Sure, some people don't understand the importance of setting Options -Indexes on a web server (regardless if dev/prod), some might not know how to use chmod, chown and mod_access to their advantage, or that Collabtive renames the uploaded files, but the fact is Collabtive offers direct links to the files, so anyone with access can copy/paste these links and unauthenticated people can hotlink/access them freely.

I would agree that there is a problem here. Not all users will have the expertise to be able to add these things to make access to their files more secure. Maybe providing .httaccess file by default, and maybe blank index.html files in the files directory. Adding index.html would stop people from getting a list of directories and files, from users who have indexing turned on, on their website.

But I would say .htaccess is unnecessary since collabtive renames the uploaded files, and this makes it hard to guess the file names. But this is defeated by collabtive providing a direct link to the files.

The least we should have in Collabtive is a special php file that offers access to the project files based on credentials - something like getProjectFile.php?id=123

I have provided modifications to add authentication to file downloads, this can be found here viewtopic.php?p=13055#p13055. It provides links as so managefile.php?action=download&id=1&file=2.

With my modifications collabtive does not provide direct links, but I am aware that it is a bit useless as it provides the full file names, along with the appended characters. So for some users it could be quite easy to guess the direct location, even though a direct link is not provided.

In the following days I will update my method to include a fix for the above mentioned problem. I will have it provide the original file name. I also have some other small changes, and I will also provide all the modified files, to make it easier to apply my modifications.

[Philipp]

One note: afaik .htaccess only works on Linux(oid) OSes ... that is not on windows/IIS
So - this is not a solution that works out of the box for every user.

Another thing:
viewtopic.php?f=8&t=5133&p=14685#p14685