(original thread)Extension installer - new way to install extensions (3 Viewers)
- Thread starter dukus
- Start date
- Status
- September 17, 2005
- 370
- 10
Do you mean it has finally been included in MP SVN?
- Thread starter
- #53
Yes, it is included in MP SVN and we try to make a new site for supporting mpi files for updating and downloading.
But the program need to be tested....., and support from extension developers
The problem was in installer the package it is mostly ok
But the program need to be tested....., and support from extension developers
The problem was in installer the package it is mostly ok
I've started scripting a bit (I'll have more time in some weeks) on the php interface.
What is making a bit more difficult is that the webserver of mediaportal is giving me no errors at all. Even with the error repoting flag set to ALL I can't get any error reports. Is there something I can do about that myself? It would speed up the development.
Thank you. It's not giving all errors now, but enough.
I've got the upload part (from a web interface of course) working with all possible checks. The most thorough one is the mime type check. But with the mpi extension that's a bit difficult. It makes php not recognize the file as a zip. The mime type it returns is "application/octet-stream". Which is the same as "*". In other words.... Allowing this mime type will create a security issue. If someone who would want to harm the server could break the login security, or in any other way could obtain access to the upload possibility, he could upload a file with any unknown extension (an executable script for example). This person would also have to hack the server again thrue another method to execute the file. If he would succeed in that he could do anything he wants with the server (everything the webserver allows). Read source files (database passwords .... etc.), delete and modify files....and so on.
It's not a very big risk, but it's there. This is all because of the for php unknown mpi extension. Even though it really is a zip file.
If I upload a zip file and restrict all other mime types the upload script is absolutely secure. But renaming the exact same file to *.mpi and uploading it results in having to allow all unknown file extensions.
I'm not sure how secure the script has to be.
One solution that I have already prepared is allowing only zip files to be uploaded. Then rename it to .mpi on the server. This would fix the security issue. Would that be a solution? Or should I ignore the security problem? It's highly unlikely anyone could ever gain (or want to gain) illegal access to the server to execute the illegally uploaded file (if one would even succeed uploading a harmfull file). But still, I like to be thorough.
I've got the upload part (from a web interface of course) working with all possible checks. The most thorough one is the mime type check. But with the mpi extension that's a bit difficult. It makes php not recognize the file as a zip. The mime type it returns is "application/octet-stream". Which is the same as "*". In other words.... Allowing this mime type will create a security issue. If someone who would want to harm the server could break the login security, or in any other way could obtain access to the upload possibility, he could upload a file with any unknown extension (an executable script for example). This person would also have to hack the server again thrue another method to execute the file. If he would succeed in that he could do anything he wants with the server (everything the webserver allows). Read source files (database passwords .... etc.), delete and modify files....and so on.
It's not a very big risk, but it's there. This is all because of the for php unknown mpi extension. Even though it really is a zip file.
If I upload a zip file and restrict all other mime types the upload script is absolutely secure. But renaming the exact same file to *.mpi and uploading it results in having to allow all unknown file extensions.
I'm not sure how secure the script has to be.
One solution that I have already prepared is allowing only zip files to be uploaded. Then rename it to .mpi on the server. This would fix the security issue. Would that be a solution? Or should I ignore the security problem? It's highly unlikely anyone could ever gain (or want to gain) illegal access to the server to execute the illegally uploaded file (if one would even succeed uploading a harmfull file). But still, I like to be thorough.
Hi all.
I just discovered this great "plugin". Awesome idea... (and awesome result of course
)
I definitely plan to release next versions of my plugins as MPI. The group function helps me a lot with my new version of the ViewmodeSwitcher, because the version needs to know if the tv channel has been changed I need separated dll files installed beside the plugin. I was thinking about building a small installer my self to keep the "nastiness" from my users. Know I can just use the MPInstaller
I just did some brief test with the Installer: Could it be that the "Uninstall" function does not work right now? I get an "invalid package!" error. I use the SVN 15338.
And a potential suggestion: If two packages came this the same file (maybe a sql dll copied to the mp root) than it would be helpful to think about a file counter (like the windows installer did that for dll files). Every installation that comes with the file increased the counter and decreased it during uninstall. That avoids that the removal of one of those packages "destroys" the other one.
Bye
Lars
I just discovered this great "plugin". Awesome idea... (and awesome result of course
)I definitely plan to release next versions of my plugins as MPI. The group function helps me a lot with my new version of the ViewmodeSwitcher, because the version needs to know if the tv channel has been changed I need separated dll files installed beside the plugin. I was thinking about building a small installer my self to keep the "nastiness" from my users. Know I can just use the MPInstaller
I just did some brief test with the Installer: Could it be that the "Uninstall" function does not work right now? I get an "invalid package!" error. I use the SVN 15338.
And a potential suggestion: If two packages came this the same file (maybe a sql dll copied to the mp root) than it would be helpful to think about a file counter (like the windows installer did that for dll files). Every installation that comes with the file increased the counter and decreased it during uninstall. That avoids that the removal of one of those packages "destroys" the other one.
Bye
Lars
It seems that I still don't have enough information.
Could you make a document discribing the way you have in mind everything should work, step by step? I can help, but I need more info.
- January 30, 2006
- 469
- 2
- Home Country
-
Belgium
Just a little off-topic question is this installer also going to be used to install skins? Because I was thinking about this the last couple of days. Because it is very hard to maintain a skin to be up to date with the latest version of MP there should be a way for Skin authors to upload there new files (updated ones for latest versions) to the SVN or some other place on the server and then hev a button in the settings part of the skin to update the skin to work with last version. I think this would really help out skin authors and because you are working on something similar it could be included in this project.
- Status