Geeklog 1.3.8-1sr4 and 1.3.7sr5 security updates

Authored by: public2 on Monday, January 26 2004 @ 07:46 PM EST

It would be nice if the changes to each php file would be listed when such an update comes out.

I have modified many files to make geeklog fits my needs. But every time an update is out I have to review each and every file line by line before I update my sites.

I would see something like:

===========================
File: submit.php

- line 217: added: if(user=..........
- new "delete function" added at line 347
- lines 567 to 822 deleted
- end of modifications
===========================

And so on. I'm quite sure it would be appreciated by many, when a new security update is out.

[ Reply to This | # ]

Authored by: vinny on Monday, January 26 2004 @ 09:52 PM EST

The patch and diff commands are made to generate exactly that data.

Diff: http://www.hmug.org/man/1/diff.html
Patch: http://www.hmug.org/man/1/patch.html

It's a lot of extra work for the developers to generate that data when it is just as much work (if not easier since you're the only one with your changes) for you to do it.

If you'd like to generate this data and offer it to the rest of the Geeklog community (perhaps on your own web page) I'm sure there are some people who would appreciate it.

-Vinny

[ Reply to This | # ]

Authored by: amckay on Monday, January 26 2004 @ 10:20 PM EST

I've found this a PITA as well, and would prefer to upgrade just individual files.

Therefore, I will volunteer to write a diff tool to do the job for us henceforth.

Will try to have it ready in the next few days.

[ Reply to This | # ]

Authored by: amckay on Tuesday, January 27 2004 @ 02:31 PM EST

Well, it seems diff already does this for us if you give it the right options. Below is the option for just showing whether files differ or not. I'll write a little web front-end for it for my website, and allow specification of the option to show how files differ, not just whether they do.

heimat# diff -qbr geeklog-1.3.8-1sr3/ geeklog-1.3.8-1sr4/
Files geeklog-1.3.8-1sr3/config.php and geeklog-1.3.8-1sr4/config.php differ
Files geeklog-1.3.8-1sr3/docs/changed-files and geeklog-1.3.8-1sr4/docs/changed-files differ
Files geeklog-1.3.8-1sr3/docs/changes.html and geeklog-1.3.8-1sr4/docs/changes.html differ
Files geeklog-1.3.8-1sr3/docs/config.html and geeklog-1.3.8-1sr4/docs/config.html differ
Files geeklog-1.3.8-1sr3/docs/history and geeklog-1.3.8-1sr4/docs/history differ
Files geeklog-1.3.8-1sr3/docs/install.html and geeklog-1.3.8-1sr4/docs/install.html differ
Files geeklog-1.3.8-1sr3/public_html/admin/block.php and geeklog-1.3.8-1sr4/public_html/admin/block.php differ
Files geeklog-1.3.8-1sr3/public_html/admin/event.php and geeklog-1.3.8-1sr4/public_html/admin/event.php differ
Files geeklog-1.3.8-1sr3/public_html/admin/group.php and geeklog-1.3.8-1sr4/public_html/admin/group.php differ
Files geeklog-1.3.8-1sr3/public_html/admin/link.php and geeklog-1.3.8-1sr4/public_html/admin/link.php differ
Files geeklog-1.3.8-1sr3/public_html/admin/poll.php and geeklog-1.3.8-1sr4/public_html/admin/poll.php differ
Files geeklog-1.3.8-1sr3/public_html/admin/story.php and geeklog-1.3.8-1sr4/public_html/admin/story.php differ
Files geeklog-1.3.8-1sr3/public_html/admin/topic.php and geeklog-1.3.8-1sr4/public_html/admin/topic.php differ
Files geeklog-1.3.8-1sr3/public_html/admin/user.php and geeklog-1.3.8-1sr4/public_html/admin/user.php differ
Files geeklog-1.3.8-1sr3/public_html/calendar.php and geeklog-1.3.8-1sr4/public_html/calendar.php differ
Files geeklog-1.3.8-1sr3/public_html/calendar_event.php and geeklog-1.3.8-1sr4/public_html/calendar_event.php differ
Files geeklog-1.3.8-1sr3/public_html/comment.php and geeklog-1.3.8-1sr4/public_html/comment.php differ
Files geeklog-1.3.8-1sr3/public_html/submit.php and geeklog-1.3.8-1sr4/public_html/submit.php differ
Files geeklog-1.3.8-1sr3/public_html/usersettings.php and geeklog-1.3.8-1sr4/public_html/usersettings.php differ

[ Reply to This | # ]

Authored by: Blaine on Monday, January 26 2004 @ 11:34 PM EST

There are also UNIX diff tools but I develop on Windows mostly and found the tool Beyond Compare to be the a great asset. It can compare directories and file and easily show you the changes.

I've learned to not customize core GL files all that much and keep my customized code in lib-custom. There are a lot of GL features that let you extend the core functions without hacking code.

[ Reply to This | # ]

Authored by: public2 on Wednesday, January 28 2004 @ 09:00 AM EST

I agree with you that modifying the core GL files is not the best way to go. But sometime it's the only way. lib-custom is usefull but it can't be used for everything. For example, for sites in other languages I had to create new tables, and tables access is hard coded in some core GL files. So I had to add come code in it.

After all the comments I've read I think CVS is the way to go. But I don't find anything fo Windows.

Thanks,

Alain

[ Reply to This | # ]

Authored by: zuke on Tuesday, January 27 2004 @ 12:11 AM EST

To update my installation, do I do a simple file replace with the ones in the tarball?
This isn't specified in the README file included with 1.3.8-1sr4.

[ Reply to This | # ]

Authored by: Dirk on Tuesday, January 27 2004 @ 03:20 AM EST

If you're currently on 1.3.8-1sr3, then yes, simply copy the files from the upgrade archive over the existing files.

bye, Dirk

[ Reply to This | # ]

Authored by: Dirk on Tuesday, January 27 2004 @ 03:25 AM EST

You can always refer to CVS for the actual changes.

Or, as others have pointed out, use diff.

bye, Dirk

[ Reply to This | # ]

Authored by: James Fryer on Tuesday, January 27 2004 @ 07:26 AM EST

CVS is the tool to use here. Import GL into your local repository, apply your changes, then you can import future versions of GL and merge them with your changes.

See this page.

[ Reply to This | # ]

Authored by: barrywong on Tuesday, January 27 2004 @ 05:26 AM EST

I just installed upgrade patches for 1.3.8.1sr4 and I got this error message when clicking story.

Fatal error: Call to undefined function: com_getpermsql() in /home/htdocs/public_html/admin/story.php on line 444

Can someone please tell me what I did wrong? Thank you.

[ Reply to This | # ]

Authored by: barrywong on Tuesday, January 27 2004 @ 05:32 AM EST

Oops, sorry, my fault. I used 1.3.8.1sr4 to patch 1.3.7sr3. Sorry for raising a false alarm.

[ Reply to This | # ]

Authored by: Anonymous on Thursday, January 29 2004 @ 01:15 PM EST

ok now I found a problum.
When somone tryes to update there info.
It is not coming up in there profile.
It's reads the old profile but not the new info.
Is there something I did wrong?

[ Reply to This | # ]

Authored by: Anonymous on Thursday, January 29 2004 @ 03:03 PM EST

Let me add that the GL defalt stuff will update.
But the added filds that you can put in from the forums.
Like messangers will not update.

[ Reply to This | # ]

Authored by: destr0yr on Friday, January 30 2004 @ 12:28 AM EST

I see what freakworld has noticed. on my site with the newest forums and the extra user info changing any info is not being saved... i do have extra info enabled in the forum config.

---
-- destr0yr - "People like you are the reason people like me need medication."

[ Reply to This | # ]

Authored by: treborstew on Saturday, February 07 2004 @ 02:23 PM EST

I am experiencing the same issue - The user settings will not update/save any of their info (name, new password, url, etc..)

If I log in the admin index page and click on users, then click on the user's name - i can change the password there and it saves -

please let me know if you figure out where to find the fix for this issue

[ Reply to This | # ]

Authored by: taksrud on Friday, January 30 2004 @ 09:00 AM EST

Hi,

I have been using geeklog for a couple of years now and have put up
several sites, but today when i set up a new site with the latest version I
got a problem with RSS feeds. I believe I have tried everything, but even
my own (local) RDF file is not being displayed I only get the "standard"
error message.

Geeklogs error.log file contains "Can not reach http://localhost/
backend/geeklog.rdf ", but when doing a tcpdump it does not look like
the application is even trying to connect to this (or any other site i put in
as RSS feed) site.

I suspect it might be an error or change in PHP, since I have found some
indications on the net around simular issues.

Anyway, ...

Her is my sw versions:

OpenBSD 3.4
PHP 4.3.3
Geeklog 1.3.8-1sr4
(MySQL 3.23.57p1)

Can anyone confirm this error?

...oh...and... if I use lynx on this server and open the RSS feed it works
fine.

anything else I should have included? If so... mail me! :)

-taksrud

[ Reply to This | # ]

Authored by: jkuperus on Friday, February 13 2004 @ 08:54 AM EST

fix suggested by Vincent Furia sjeez what he suggested is just a synchronizer token, a pretty common design pattern in the java world. anyway shame on geeklog, so many vulnerabilities in a simple blog

---
"&'

[ Reply to This | # ]