(original thread)Extension installer - new way to install extensions (3 Viewers)

Status
Not open for further replies.

idioteque

Retired Team Member
  • Premium Supporter
  • September 29, 2005
    609
    9
    Home Country
    Netherlands Netherlands
    just curious, was or is it the installer or is / was it the MPI file that is not created ok ?
     

    piranha

    MP Donator
  • Premium Supporter
  • September 17, 2005
    370
    10
    Some news:
    - MPInstaller now it is included in SVN
    - support for a default skin files witch used in non supported skins
    - saving file bug fixed
    - in editor support for DEL key

    Do you mean it has finally been included in MP SVN?
     

    dukus

    Portal Pro
    January 20, 2006
    783
    748
    44
    Home Country
    Romania Romania
    Yes, it is included in MP SVN and we try to make a new site for supporting mpi files for updating and downloading.
    But the program need to be tested....., and support from extension developers

    just curious, was or is it the installer or is / was it the MPI file that is not created ok ?

    The problem was in installer the package it is mostly ok
     

    Bram

    Portal Pro
    December 12, 2005
    851
    3
    's-Hertogenbosch
    Home Country
    Netherlands Netherlands
    Yes, it is included in MP SVN and we try to make a new site for supporting mpi files for updating and downloading.
    But the program need to be tested....., and support from extension developers

    I've started scripting a bit (I'll have more time in some weeks) on the php interface.
    What is making a bit more difficult is that the webserver of mediaportal is giving me no errors at all. Even with the error repoting flag set to ALL I can't get any error reports. Is there something I can do about that myself? It would speed up the development.
     

    dukus

    Portal Pro
    January 20, 2006
    783
    748
    44
    Home Country
    Romania Romania
    try this
    ini_set('display_errors',1);
    work for me
     

    Bram

    Portal Pro
    December 12, 2005
    851
    3
    's-Hertogenbosch
    Home Country
    Netherlands Netherlands
    Thank you. It's not giving all errors now, but enough.

    I've got the upload part (from a web interface of course) working with all possible checks. The most thorough one is the mime type check. But with the mpi extension that's a bit difficult. It makes php not recognize the file as a zip. The mime type it returns is "application/octet-stream". Which is the same as "*". In other words.... Allowing this mime type will create a security issue. If someone who would want to harm the server could break the login security, or in any other way could obtain access to the upload possibility, he could upload a file with any unknown extension (an executable script for example). This person would also have to hack the server again thrue another method to execute the file. If he would succeed in that he could do anything he wants with the server (everything the webserver allows). Read source files (database passwords .... etc.), delete and modify files....and so on.

    It's not a very big risk, but it's there. This is all because of the for php unknown mpi extension. Even though it really is a zip file.
    If I upload a zip file and restrict all other mime types the upload script is absolutely secure. But renaming the exact same file to *.mpi and uploading it results in having to allow all unknown file extensions.

    I'm not sure how secure the script has to be.
    One solution that I have already prepared is allowing only zip files to be uploaded. Then rename it to .mpi on the server. This would fix the security issue. Would that be a solution? Or should I ignore the security problem? It's highly unlikely anyone could ever gain (or want to gain) illegal access to the server to execute the illegally uploaded file (if one would even succeed uploading a harmfull file). But still, I like to be thorough.
     

    dukus

    Portal Pro
    January 20, 2006
    783
    748
    44
    Home Country
    Romania Romania
    You should ignore this issue, when a file is uploaded is stored database only when published it exist physically on server, but then it is tested of it is a valid mpi file (zip,and contain right xml file)
     

    lkuech

    Retired Team Member
  • Premium Supporter
  • February 16, 2007
    576
    83
    50
    Hamburg
    Home Country
    Germany Germany
    Hi all.

    I just discovered this great "plugin". Awesome idea... (and awesome result of course ;))
    I definitely plan to release next versions of my plugins as MPI. The group function helps me a lot with my new version of the ViewmodeSwitcher, because the version needs to know if the tv channel has been changed I need separated dll files installed beside the plugin. I was thinking about building a small installer my self to keep the "nastiness" from my users. Know I can just use the MPInstaller :D

    I just did some brief test with the Installer: Could it be that the "Uninstall" function does not work right now? I get an "invalid package!" error. I use the SVN 15338.

    And a potential suggestion: If two packages came this the same file (maybe a sql dll copied to the mp root) than it would be helpful to think about a file counter (like the windows installer did that for dll files). Every installation that comes with the file increased the counter and decreased it during uninstall. That avoids that the removal of one of those packages "destroys" the other one.

    Bye
    Lars
     

    Bram

    Portal Pro
    December 12, 2005
    851
    3
    's-Hertogenbosch
    Home Country
    Netherlands Netherlands
    You should ignore this issue, when a file is uploaded is stored database only when published it exist physically on server, but then it is tested of it is a valid mpi file (zip,and contain right xml file)

    It seems that I still don't have enough information.
    Could you make a document discribing the way you have in mind everything should work, step by step? I can help, but I need more info.
     

    THDBASED

    Portal Pro
    January 30, 2006
    469
    2
    Home Country
    Belgium Belgium
    Just a little off-topic question is this installer also going to be used to install skins? Because I was thinking about this the last couple of days. Because it is very hard to maintain a skin to be up to date with the latest version of MP there should be a way for Skin authors to upload there new files (updated ones for latest versions) to the SVN or some other place on the server and then hev a button in the settings part of the skin to update the skin to work with last version. I think this would really help out skin authors and because you are working on something similar it could be included in this project.
     
    Status
    Not open for further replies.

    Users who are viewing this thread

    Top Bottom