| Security enhancements |
| Author | Text |
Docwyatt2001
Developer
Posts: 98
Gender: 
Online: No
Version: Memht 3.5
Country: Australia
Languages: English |
Date: 12/05/2008 11:29
Security enhancements | #post7085 | I've been going over some of the code and data in the program, and one of things I would like to suggest is some sort of protection on the email addressses from crawlers. With the security tightened this isn't too much of an issue, but those areas that have guest access, email addresses will be seen.
I realise an attempt has been made to add some in with the username at domain dot extension, but it wouldn't be to difficult for a crawler to look for this syntax and harvest it.
There are some methods located here --> http://iframe.in/email-protector/
that can give ways to do it at the code level (maybe a combination of some of these - the reformat to the string you have displayed, with the RTL or HTML entities at the code level)? "Where is my damn coffee!!!" |
|
   |
| |
paulo89
Moderator
Developer
Posts: 1286
Gender:
Online: No
Version: 3.8.1
Country: Portugal
Languages: Portuguese, Portuguese and little english ^^ |
Date: 13/05/2008 09:03
Re: Security enhancements | #post7088 | Hi
For now not to have been problems with "at" and "dot".
But for the future is a nice idea |
|
| |
| |
Docwyatt2001
Developer
Posts: 98
Gender:
Online: No
Version: Memht 3.5
Country: Australia
Languages: English |
Date: 13/05/2008 09:06
Re: Security enhancements | #post7089 | I was just looking at it from a pure code point... Things like SQL injection protection, field validation, session injection, man in the middle, etc.
Still coming to grips with how Memht does some of its stuff, so I might have some more coming. "Where is my damn coffee!!!" |
|
| |
| |
paulo89
Moderator
Developer
Posts: 1286
Gender:
Online: No
Version: 3.8.1
Country: Portugal
Languages: Portuguese, Portuguese and little english ^^ |
Date: 13/05/2008 09:11
Re: Security enhancements | #post7090 | I admire you for that, and I say this, because some people come here to talk without first looking at the code.
if you need help we are here. |
|
| |
| |
Docwyatt2001
Developer
Posts: 98
Gender:
Online: No
Version: Memht 3.5
Country: Australia
Languages: English |
Date: 14/05/2008 18:48
Re: Security enhancements | #post7129 | Its good to see how other people may solve a problem - helps you learn stuff.
Another suggestion (IP sanitisation)...
As marked in inc_functions.php, ~line 309, the validIp function regex could be improved (stops 999.999.999.999 for example)
This should do the trick.
| code |
return (eregi("^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$",$ip)) ? true : false ;
|
Alternative you could swap the ^ at the start and the $ at the end for /b so it could be used anywhere.
Also, I started playing around with the maskEmail function... I should have a working version of what I was suggestion by tomorrow. Edited: 14/05/2008 18:51 "Where is my damn coffee!!!" |
|
| |
| |
mem
MemHT's Dad
Admin & Developer
Posts: 5130
Gender:
Online: No |
Date: 14/05/2008 19:05
Re: Security enhancements | #post7130 | Good job, thanks |
|
| |
| |
Docwyatt2001
Developer
Posts: 98
Gender:
Online: No
Version: Memht 3.5
Country: Australia
Languages: English |
Date: 15/05/2008 05:28
Re: Security enhancements | #post7144 | No problems. Happy to offer suggestions.
Sticking with that file, here is the before and after bits of code that I've added in regards to the email. It's simplest way I could think (pinching part of the early unhtmlentities function). The other methods of the email being hidden required HTML tag changes on it (either A or BDO), which means some further changes outside of these functions.
Before
| code |
//Mask email (email@memht.com -> email at memht dot com)
function maskEmail($email) {
$email = str_replace("@"," at ",$email);
$email = str_replace("."," dot ",$email);
return $email;
}
|
| code |
//Convert string into all printable HTML entities
function allHTMLEntities($string) {
$trans_tbl1 = get_html_translation_table(HTML_ENTITIES);
foreach ($trans_tbl1 as $ascii => $htmlentitie) {
$trans_tbl2[$ascii] = '&#'.ord($ascii).';';
}
for($i=32;$i<127;$i++) { $trans_tbl2[chr($i)] = '&#'.$i.';'; }
return strtr(strtr($string,$trans_tbl1),$trans_tbl2);
}
//Mask email (email@memht.com -> email at memht dot com)
function maskEmail($email) {
$email = str_replace("@"," at ",$email);
$email = str_replace("."," dot ",$email);
return allHTMLEntities($email);
}
|
If you wanted to take it further with the BDO part... Split on the semi-colon, reverse the array, and then rejoin it. Then wrap it in the BDO tag and set the direction as RTL (right to left). Done. "Where is my damn coffee!!!" |
|
| |
| |
Docwyatt2001
Developer
Posts: 98
Gender:
Online: No
Version: Memht 3.5
Country: Australia
Languages: English |
Date: 15/05/2008 10:13
Re: Security enhancements | #post7147 | I've just taken a look at how to write the mods for Memht, so what I will do is make these changes into a mod file and do it that way.
EDIT: Doh..  Not a format... Someone just wrote it that way. Although... That kinda gives me an idea for an add-on. Edited: 15/05/2008 12:51 "Where is my damn coffee!!!" |
|
| |
| |
mem
MemHT's Dad
Admin & Developer
Posts: 5130
Gender:
Online: No |
Date: 15/05/2008 13:44
Re: Security enhancements | #post7152 |  I like it. The 3.8.0 release is already finished but i'll consider it for the next release. Thanks |
|
| |
| |
Docwyatt2001
Developer
Posts: 98
Gender:
Online: No
Version: Memht 3.5
Country: Australia
Languages: English |
Date: 15/05/2008 17:09
Re: Security enhancements | #post7161 | You're welcome. You gave us Memht... It's the least someone can do.
3.8.0... Awesome... How long till that's officially released? Edited: 15/05/2008 17:14 "Where is my damn coffee!!!" |
|
| |
| |
Image resized (Original file: 468x60)
