[MTOS-dev] A complementary implementation of MT::App::Viewer [r1127]

Sat Jan 19 00:05:08 PST 2008

On Jan 19, 2008 2:21 PM, Byrne Reese <byrne at sixapart.com> wrote:
>
>
>
> We are evaluating this patch, but need to be careful in light of the recent
>  security vulnerability we patched. Our desire is to incorporate this fix,
> or
>  one similar to it, to enable a fully pure-perl dynamic publishing system,
>  but we need to ensure that this mechanism cannot be used to reveal the
>  contents and IP contained within MT templates.

Indeed.

Do you have any plan to avoid to reveal the contents within MT
templates, which should be processed by PHP interpreter?
Facilitate some container, which would be ignored while Perl processes
MT templates? Or something else?

>
>
>
>
>  On 12/30/07 11:08 PM, "Hirotaka Ogawa" <hirotaka.ogawa at gmail.com> wrote:
>
>  > Hello,
>  >
>  > This patch report is intended to provide a complete implementation of
>  > MT::App::Viewer to MTOS.
>  >
>  > BRIEF SUMMARY:
>  > The attached file is a patch to MTOS [r1127], which allows you to use
>  > mt-view.cgi and MT::App::Viewer.
>  >
>  > RATIONALE:
>  >
>  > Users cannot use mt-view.cgi properly in MT 4.0/4.1, because
>  > MT::App::Viewer is not completely implemented.  %view_handlers is
>  > defined to use _view_archive() function, but _view_archive() function
>  > itself is not defined.  And, _view_date_archive(), _view_entry(), and
>  > _view_category() have been obsoleted.
>  >
>  > TECHNICAL OVERVIEW:
>  >
>  > This patch only provides modifications to MT::App::Viewer, which adds
>  > the definition of _view_archive(), and modifies view() and
>  > _view_index() in order to properly handle any indexes and archives.
>  >
>  > After applying this patch, you'll be able to use mt-view.cgi and show
>  > any indexes and archives by URLs as like:
>  >
>  >    http://your.domain.name/mtdir/mt-view.cgi?blog_id=1&uri=/blog/
>  >
>  > blog_id indicates a blog ID, and uri indicates the URI of the target
>  > index or archive.
>  >
>  > Also, you will be able to invoke mt-view.cgi based on "REQUEST_URI"
>  > environment variable, by facilitating Apache mod_rewrite.
>  >
>  >    Options -Indexes +SymLinksIfOwnerMatch
>  >    <IfModule mod_rewrite.c>
>  >      <IfModule mod_dir.c>
>  >        DirectoryIndex index.php index.html index.htm default.htm
>  > default.html default.asp /MTDIR/mt-view.cgi?blog_id=1
>  >      </IfModule>
>  >      RewriteEngine on
>  >      RewriteCond %{REQUEST_FILENAME} !-d
>  >      RewriteCond %{REQUEST_FILENAME} !-f
>  >      RewriteRule ^(.*)$ /MTDIR/mt-view.cgi?blog_id=1 [L,QSA]
>  >    </IfModule>
>  >    <IfModule !mod_rewrite.c>
>  >      ErrorDocument 404 /MTDIR/mt-view.cgi?blog_id=1
>  >      ErrorDocument 403 /MTDIR/mt-view.cgi?blog_id=1
>  >    </IfModule>
>
>

-- 
Hirotaka Ogawa makes no sense.
http://as-is.net/blog/