Files allowed -- Blacklist instead of Whitelist?

Support and feedback for UniAdmin

Files allowed -- Blacklist instead of Whitelist?

Postby Graiford » Fri Mar 16, 2007 7:23 pm

Just a suggestion, the new 0.7.6 Uniadmin has a whitelist of files that's tending to cause issues either uploading / processing addons. It may be more beneficial to have a blacklist for types of files that CAN'T be uploaded instead of a whitelist of files that CAN be uploaded.


Again, this is just a suggestion. If anyone has a good work-around or significant concern as to otherwise, please let me know.
Graiford
WR.net Apprentice
WR.net Apprentice
 
Posts: 14
Joined: Thu Oct 26, 2006 8:14 pm

Files allowed -- Blacklist instead of Whitelist?

Postby zanix » Sat Mar 17, 2007 2:30 am

It has been decided in a long security related thread that a white list is the way to go
Read the Forum Rules, the WiKi, and Search before posting!
WoWRoster v2.1 - SigGen v0.3.3.523 - WoWRosterDF
User avatar
zanix
Admin
Admin
WoWRoster.net Dev Team
WoWRoster.net Dev Team
UA/UU Developer
UA/UU Developer
 
Posts: 5543
Joined: Mon Jul 03, 2006 8:29 am
Location: Idaho Falls, Idaho
Realm: Doomhammer (PvE) - US

Files allowed -- Blacklist instead of Whitelist?

Postby Graiford » Tue Mar 20, 2007 11:26 pm

hmmm, ok. Is there any way the enduser can turn that off then? I can't really see going through every zip file and figuring out all the file extensions.
Graiford
WR.net Apprentice
WR.net Apprentice
 
Posts: 14
Joined: Thu Oct 26, 2006 8:14 pm

Files allowed -- Blacklist instead of Whitelist?

Postby zanix » Wed Mar 21, 2007 7:53 am

I'm changing this to a blacklist for 0.7.7

As of right now, there isn't a way to turn this off without editing code

include/uniadmin.php

Find
Code: Select all
        $list $archive->extract(PCLZIP_OPT_PATH$path,
            
PCLZIP_CB_PRE_EXTRACT'pclzip_pre_extract'); 

Replace with
Code: Select all
        $list $archive->extract(PCLZIP_OPT_PATH$path); 
Read the Forum Rules, the WiKi, and Search before posting!
WoWRoster v2.1 - SigGen v0.3.3.523 - WoWRosterDF
User avatar
zanix
Admin
Admin
WoWRoster.net Dev Team
WoWRoster.net Dev Team
UA/UU Developer
UA/UU Developer
 
Posts: 5543
Joined: Mon Jul 03, 2006 8:29 am
Location: Idaho Falls, Idaho
Realm: Doomhammer (PvE) - US

Files allowed -- Blacklist instead of Whitelist?

Postby MattM » Fri Mar 23, 2007 7:26 am

i thought we were going with a whitelist
MattM
UA/UU Developer
UA/UU Developer
Gimpy Developer
Gimpy Developer
 
Posts: 886
Joined: Tue Jul 04, 2006 9:53 pm
Location: USA

Files allowed -- Blacklist instead of Whitelist?

Postby zanix » Fri Mar 23, 2007 9:04 am

I dunno if that is a good idea
The problem is keeping UA and UU's lists sync'ed
Read the Forum Rules, the WiKi, and Search before posting!
WoWRoster v2.1 - SigGen v0.3.3.523 - WoWRosterDF
User avatar
zanix
Admin
Admin
WoWRoster.net Dev Team
WoWRoster.net Dev Team
UA/UU Developer
UA/UU Developer
 
Posts: 5543
Joined: Mon Jul 03, 2006 8:29 am
Location: Idaho Falls, Idaho
Realm: Doomhammer (PvE) - US

Files allowed -- Blacklist instead of Whitelist?

Postby MattM » Sun Mar 25, 2007 10:47 pm

its decided then, we will use blacklists
MattM
UA/UU Developer
UA/UU Developer
Gimpy Developer
Gimpy Developer
 
Posts: 886
Joined: Tue Jul 04, 2006 9:53 pm
Location: USA

Files allowed -- Blacklist instead of Whitelist?

Postby ScratchMonkey » Wed Mar 28, 2007 7:22 am

A whitelist is as trustable as the website you're downloading from. Do you trust your GM?

I'd prefer to know exactly what files are being blocked so that GM's can more easily maintain their whitelist.
User avatar
ScratchMonkey
WR.net Expert
WR.net Expert
 
Posts: 212
Joined: Wed Jul 05, 2006 4:32 pm
Location: San Pablo, CA

Files allowed -- Blacklist instead of Whitelist?

Postby MattM » Wed Mar 28, 2007 11:09 am

If uu detects a filetype in the blacklist, it will say so in the debug log.

UU/UA blacklist is a SMALL securety measure compared to anything you can "trust"

It is true, if there are guildies that dont "trust" the person distributing these tools/services then there is a serious problem, a problem not concerning the developers of these tools.

We do as much as possible for the good of the community as far as these tools go, but we can't develop trust between anyone and anyone else.

what more can we do...
MattM
UA/UU Developer
UA/UU Developer
Gimpy Developer
Gimpy Developer
 
Posts: 886
Joined: Tue Jul 04, 2006 9:53 pm
Location: USA

Files allowed -- Blacklist instead of Whitelist?

Postby ScratchMonkey » Wed Mar 28, 2007 12:14 pm

Agreed.

Note that "trust" in this sense isn't about good or bad will, but about knowledge of threats. I wouldn't trust my mother in this sense. She wouldn't have the first clue about what constitutes a threat. A guild that deploys software over the web would do well to recruit not just a good tank and a good healer, but a good security-minded IT person as well. It's important not to agro the crackers! ;)
User avatar
ScratchMonkey
WR.net Expert
WR.net Expert
 
Posts: 212
Joined: Wed Jul 05, 2006 4:32 pm
Location: San Pablo, CA

Re: Files allowed -- Blacklist instead of Whitelist?

Postby MattM » Wed Mar 28, 2007 9:38 pm

very good point. The IT guy could then reassure the guildies that everything is fine, after investigating everything.
MattM
UA/UU Developer
UA/UU Developer
Gimpy Developer
Gimpy Developer
 
Posts: 886
Joined: Tue Jul 04, 2006 9:53 pm
Location: USA

Re: Files allowed -- Blacklist instead of Whitelist?

Postby gorgeth » Thu Mar 29, 2007 7:19 am

zanix wrote:I'm changing this to a blacklist for 0.7.7

As of right now, there isn't a way to turn this off without editing code

include/uniadmin.php

Find
Code: Select all
        $list $archive->extract(PCLZIP_OPT_PATH$path,
            
PCLZIP_CB_PRE_EXTRACT'pclzip_pre_extract'); 

Replace with
Code: Select all
        $list $archive->extract(PCLZIP_OPT_PATH$path); 


This is a nice fix for UA, but UU now will choke on the DL of anything that would have choked UA pre-fix...

Any chance of getting a UU build that works with UA so that mods with 2 periods in a directory name etc can actually be downloaded?
User avatar
gorgeth
WR.net Apprentice
WR.net Apprentice
 
Posts: 26
Joined: Tue Jul 04, 2006 4:57 pm

Files allowed -- Blacklist instead of Whitelist?

Postby MattM » Thu Mar 29, 2007 10:56 am

too tired, unable to understand :(
MattM
UA/UU Developer
UA/UU Developer
Gimpy Developer
Gimpy Developer
 
Posts: 886
Joined: Tue Jul 04, 2006 9:53 pm
Location: USA

Files allowed -- Blacklist instead of Whitelist?

Postby Shadowsong » Fri Mar 30, 2007 5:05 am

yea thats the point... where can I modify the blacklist filetype?

Need it really badly for my cartographer :neutral: :scratch: :shaking:
Last edited by Shadowsong on Fri Mar 30, 2007 5:06 am, edited 1 time in total.
User avatar
Shadowsong
WR.net Apprentice
WR.net Apprentice
 
Posts: 32
Joined: Wed Feb 14, 2007 2:39 pm

Files allowed -- Blacklist instead of Whitelist?

Postby foreseit » Thu May 24, 2007 9:58 pm

You can modify the include/constants.php file. Do a search for "'UA_ADDON_BLACKLIST" and delete out the conflicts with cartographer.
<a href="thehateguild.com"><img src="/anetheron/addons/siggen/sig.php?name=Foreseit"></a>
User avatar
foreseit
WR.net Journeyman
WR.net Journeyman
 
Posts: 139
Joined: Tue Jul 25, 2006 10:03 pm


Return to UniAdmin

Who is online

Users browsing this forum: No registered users and 0 guests

cron