[ZendTo] Re: Library function

Jules Jules at Zend.To
Tue Jan 24 21:46:55 GMT 2012 


On 24/01/2012 21:31, Brian Ott wrote:
> On Tue, Jan 24, 2012 at 09:18:47PM +0000, Jules wrote:
>>
>> On 24/01/2012 17:48, Brian Ott wrote:
>>> Thanks Jules,
>>>
>>> That worked. I've noticed now another issue.
>>>
>>> If someone sends me a file and I get the link in the email and go to
>>> it if I am not currently logged in I cannot download the file. I get
>>> an error message.
>> What error message?
> Please see the image: http://imgur.com/6jssN
Have you upgraded from an earlier version of ZendTo?
If so, did you read the notes on the download page on http://zend.to/ 
about having to update the database schema after upgrading? You are 
probably missing the relevant table from your database. Run the 2nd 
"mysql" command given in /opt/zendto/sql/README.MySQL to add the missing 
tables, then give it another go.

If you have "humanDownloads => true," in your preferences.php file then 
it will insist on you passing a captcha test before being allowed to 
download your files (stops DOS and DDOS attacks on the download page). 
You can choose to disable this by setting it to false, but I would make 
sure your database is correct instead.
>
>
>>>    This reason is because I'm in the network that is
>>> forced to login.
>> There isn't any "network that is forced to login" in ZendTo. In the
>> network prefixes listed in the preferences.php file, a little login box
>> is presented on the home page to make it easier for them to login if
>> they want to. But they are not "forced to login" at all.
>>> This causes confusion to all our internal users as they receive the
>>> email, click the link and the file is not accessible.
>> It should be accessible to anyone! The most recent versions support
>> another "captcha" at the file download point so that you cannot be
>> DDOS-ed by millions of botnet machines all trying to download the same
>> file at the same time. (I've had this done to my own ZendTo site
>> already, so I guess I'm making an impression on the rip-off market held
>> by yousendit and the like. :-)
> We disabled captchas, I agree with the purpose but we had complaints
> that it was just too hard to read.
Unfortunately captchas have to be hard to read, or else they are too 
easy to automate. Most of the captcha libraries/services out there have 
been cracked and automated, Google's is one of the few that hasn't. If 
you set "humanDownloads => false," in preferences.php, then it should go 
straight to the download page when you click on an email link sent by 
ZendTo, without it trying to display any captcha at all. But if your 
database is setup correctly then it should all still work.
>
>>>    It would be nice
>>> that before they can go to the page with the file listed they are
>>> forced to login or ask them to login before the download if they are
>>> in that network.
>> No-one ever has to login to download a file, when they get the download
>> link in an email generated by ZendTo.
> Ok. I was under the wrong impression because if I login and then click
> on the link from the email I can download it just fine.
That's because it knows you are logged in and hence doesn't try to 
present the captcha page at all. I'll check the code where it tries to 
present the download captcha and make sure it works in the state where 
"humanDownloads" is true, but the captchas have been disabled.
>
>
>>>    This would remove that confusion to 'typical' users.
>> The whole point is that they can send files to anyone, inside or outside
>> your organisation. ZendTo download links work without you having to
>> login, that's the point. Otherwise people outside your organisation
>> wouldn't be able to download files, as they have no login details for
>> your organisation.
>>
> Agreed, its just that some organizations like ours take security and
> privacy to certain level. We want everyone within our organization to
> be logged in and tracked. It may sound weird but for auditing purposes
> its needed.
In which case surely you need captchas? By switching them off you are 
allowing any malware or botnet loose on your ZendTo service, and people 
can automatically post content into your ZendTo service. It's not that 
hard to automate it once the captchas are removed from the equation. If 
you care about security and privacy seriously, then you should put the 
captchas back in or else you have no knowledge at all about who might be 
using your ZendTo service.

It does always log the IP address of the computer that downloaded the 
files, but that's the only information available.

Jules.

>
>> Jules.
>>
>>> On Mon, Jan 23, 2012 at 10:16:09AM +0000, Jules wrote:
>>>> Oops! Sorry about that.
>>>>
>>>> Go through that file and change every occurrence of
>>>>        sqlite_escape_string
>>>> to
>>>>        $this->database->real_escape_string
>>>> There should be 5 of them.
>>>>
>>>> Then you should find it works rather better! :-)
>>>>
>>>> This will of course be fixed in the next release.
>>>>
>>>> Jules.
>>>>
>>>> On 18/01/2012 21:09, Brian Ott wrote:
>>>>> Hey Jules,
>>>>>
>>>>> I did notice this: [Wed Jan 18 16:07:03 2012] [error] [client
>>>>> 10.10.10.72] PHP Fatal error:  Call to undefined function
>>>>> sqlite_escape_string() in /nfs/zendto/zendto_application/lib/MySQL.php
>>>>> on line 801, referer: https://URL/dropoff.php
>>>>>
>>>>>
>>>>> In the logs when this happens (I replaced our URL)
>>>>>
>>>>> On Wed, Jan 18, 2012 at 03:37:23PM -0500, Brian Ott wrote:
>>>>>> Hello,
>>>>>>
>>>>>> Is anyone using the 'Library' function? I've been having some issues
>>>>>> with it where as when I user selects to send a file in the library
>>>>>> after the click 'dropoff' they get a Error 500 page. I'm not sure why
>>>>>> this is happening. Zendto sees the file just fine and in the database
>>>>>> its been added as a send but the page errors.
>>>>>>
>>>>>> -- 
>>>>>> Brian Ott
>>>>>> Unix System Administrator
>>>>>>
>>>>>> Ontario Institute for Cancer Research
>>>>>> MaRS Centre, South Tower
>>>>>> 101 College Street, Suite 800
>>>>>> Toronto, Ontario, Canada M5G 0A3
>>>>>>
>>>>>> Telephone:	647-260-7977
>>>>>> Email:		brian.ott at oicr.on.ca
>>>>>> www.oicr.on.ca
>>>>>>
>>>>>>
>>>>>>
>>>>>> This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
>>>>>> _______________________________________________
>>>>>> ZendTo mailing list
>>>>>> ZendTo at zend.to
>>>>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>>> Jules
>>>>
>>>> -- 
>>>> Julian Field MEng CITP CEng
>>>> www.Zend.To
>>>>
>>>> Follow me at twitter.com/JulesFM
>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>>
>>>> 'It's okay to live without all the answers' - Charlie Eppes, 2011
>>>> 'All programs have a desire to be useful' - Tron, 1982
>>>> 'That is the land of lost content,
>>>>     I see it shining plain,
>>>>     The happy highways where I went,
>>>>     And cannot come again.' - A.E. Houseman
>>>>
>>>> _______________________________________________
>>>> ZendTo mailing list
>>>> ZendTo at zend.to
>>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>> Jules
>>
>> -- 
>> Julian Field MEng CITP CEng
>> www.Zend.To
>>
>> Follow me at twitter.com/JulesFM
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>> 'Teach a man to reason, and he will think for a lifetime.' - Phil Plait
>> 'All programs have a desire to be useful' - Tron, 1982
>>
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'Teach a man to reason, and he will think for a lifetime.' - Phil Plait
'All programs have a desire to be useful' - Tron, 1982

More information about the ZendTo mailing list