Coppermine Picture Gallery using Inspekt

2 views
Skip to first unread message

Aditya Mooley

unread,
Jan 22, 2008, 1:51:54 AM1/22/08
to inspekt
Hi all,

Just wanted to let you all know that the upcoming Coppermine Picture
Gallery (http://coppermine-gallery.net) version 1.5 will be using
Inspekt to firewall and sanitize all the super globals. About 90% of
code has been ported over to use Inspekt.

We had to add two methods getEscaped and getMatched to Inspekt. Can
make a patch available if anyone else needs it.

Also, we had to remove $_SESSION from supercage as it was killing the
session.

Regards,
Aditya

Ed Finkler

unread,
Jan 22, 2008, 3:00:43 PM1/22/08
to ins...@googlegroups.com
On Jan 22, 2008 1:51 AM, Aditya Mooley <aditya...@gmail.com> wrote:
>
> Hi all,
>
> Just wanted to let you all know that the upcoming Coppermine Picture
> Gallery (http://coppermine-gallery.net) version 1.5 will be using
> Inspekt to firewall and sanitize all the super globals. About 90% of
> code has been ported over to use Inspekt.

That's great to hear! I'm happy that a successful open-source app like
Coppermine is utilizing Inspekt.

> We had to add two methods getEscaped and getMatched to Inspekt. Can
> make a patch available if anyone else needs it.

I *think* you may have shared those with me earlier, and at the time I
was under the constraints of the OWASP proposal. They sound like they
might be good candidates for inclusion into the main project. Can you
resend them to me?

> Also, we had to remove $_SESSION from supercage as it was killing the
> session.

This is a problem, and it needs some real rethinking. I didn't give
the proper thought to how $_SESSION should be handled in Inspekt, and
therefore it's treated like a read-only input source, just like the
rest of the superglobals. I'm not quite sure of the best approach at
this point, but I would really appreciate your input.

--
--
Ed Finkler
http://funkatron.com
AIM: funka7ron
ICQ: 3922133
Skype: funka7ron

Aditya

unread,
Jan 23, 2008, 4:33:13 AM1/23/08
to ins...@googlegroups.com
On Jan 23, 2008 1:30 AM, Ed Finkler <funk...@gmail.com> wrote:

> We had to add two methods getEscaped and getMatched to Inspekt. Can
> make a patch available if anyone else needs it.

I *think* you may have shared those with me earlier, and at the time I
was under the constraints of the OWASP proposal. They sound like they
might be good candidates for inclusion into the main project. Can you
resend them to me?

You think correct. :) I have attached a patch

/me crosses fingers and hopes this group allows attachments.

 
> Also, we had to remove $_SESSION from supercage as it was killing the
> session.


This is a problem, and it needs some real rethinking. I didn't give
the proper thought to how $_SESSION should be handled in Inspekt, and
therefore it's treated like a read-only input source, just like the
rest of the superglobals. I'm not quite sure of the best approach at
this point, but I would really appreciate your input.

Actually I am also looking for the best option for this.
Another thing I just remembered about sessions is - I had to do the following in my code to get sessions working -
session_id($superCage->cookie->getAlnum('PHPSESSID'));



--
Ed Finkler
http://funkatron.com
AIM: funka7ron
ICQ: 3922133
Skype: funka7ron

--
Regards,
Aditya

http://adityamooley.net
http://coppermine.sf.net
inspekt.txt
Reply all
Reply to author
Forward
0 new messages