[ZendTo] Feature Request: Option to disable visible version strings

Jules Field Jules at Zend.To
Fri Jul 13 15:31:07 BST 2018


Ricky,

The only way it will affect future upgrades (and/or 
upgrade_preferences_php) is that upgrade_preferences_php will always 
reset it to the version number given in the new preferences.php file.
The value itself is *purely* cosmetic.
No part of ZendTo or any accompanying script ever depends on the value 
it sees in there.

Rather than edit the template, to get rid of it you should just 
customise the "translation" of the strings in the UI.
This is described in
     http://zend.to/translators.php

If you've got preferences.php saying that
'language' => 'en_US',
then look in
/opt/zendto/config/locale/en_US/LC_MESSAGES
In there, edit the "zendto.po" file.
Search for the lines
msgid "Version %1 has been developed by %2."
and
msgid "Version %1"
Immediately under each line is the "msgstr" which is what the string is 
translated into. If the msgstr value is "" then the "msgid" value above 
it is used by default. But if you set something simple like
msgstr "Developed by %2."
and
msgstr " "
for them, then the "Version %1" text simply won't appear.
Then run
/opt/zendto/bin/makelanguages
to compile all the .po files into .mo files.

If a quick refresh of your browser doesn't show the new content, restart 
Apache as sometimes it caches stuff it shouldn't.

That may sound more complicated than simply editing the template file.
But.....
When I change the template files in future versions, you won't have to 
re-apply your edit, or risk ending up with an out-of-date template 
because you missed the ".rpmnew" version that got created.
Instead, your changes to the output for those 2 strings will survive, 
and the .po files automatically get all the new strings added to them 
whenever makelanguages is run (which happens as part of the rpm/deb 
install/upgrade process).

This is described on
     http://zend.to/translators.php
and is now the more reliable method of changing the text in the UI to 
match your own requirements.

Hope that helps,
Jules.

On 13/07/2018 15:16, Ricky Boone wrote:
> I thought about that, but wasn't sure it wouldn't cause issues with 
> future upgrades (specifically with the config/preferences upgrade 
> scripts), and the intent was to completely remove the version string 
> from non-administrative users.
>
> Again, not a major issue, I have the option of changing ZTVERSION, as 
> well as modifying the template, just thought this could be something 
> that might be worth implementing at some point.  No worries.  :)
>
> Thanks for the quick reply.
>
> On Thu, Jul 12, 2018, 12:31 PM Jules Field <Jules at zend.to 
> <mailto:Jules at zend.to>> wrote:
>
>     Why not just set "ZTVERSION" in preferences.php to any other
>     string you
>     like?
>     That's exactly why I let you set it. Just change it to "1" or
>     something
>     like that.
>
>     Cheers,
>     Jules.
>
>     On 12/07/2018 16:30, Ricky Boone via ZendTo wrote:
>     > I think it would be helpful to include an option that disables the
>     > visibility of the version, at least to non-administrators, that is
>     > normally rendered at the footer of every page.  While there are
>     > absolutely other ways to secure a system, or ways that bad actors
>     > could determine what version you're potentially running, handing out
>     > information like the version string can be a risk if there is a zero
>     > day or other vulnerability.  Several best practices related to
>     > securing a web server include disabling version strings or otherwise
>     > obfuscating the Server header in Apache httpd, for example:
>     >
>     >
>     https://www.owasp.org/index.php/Fingerprint_Web_Server_(OTG-INFO-002)
>     <https://www.owasp.org/index.php/Fingerprint_Web_Server_%28OTG-INFO-002%29>
>     >
>     > For the time being, I'm just clearing out the parts of the
>     footer.tpl
>     > template that include this, but I think this would be cleaner to do
>     > within the config.  If I'm going about this the wrong way, let me
>     > know, however I'm still of the opinion that publicly announcing this
>     > level of detail is probably not the most secure option, either.
>     >
>     > _______________________________________________
>     > ZendTo mailing list
>     > ZendTo at zend.to <mailto:ZendTo at zend.to>
>     > http://jul.es/mailman/listinfo/zendto
>
>     Jules
>
>     -- 
>     Julian Field MEng CEng CITP MBCS MIEEE MACM
>
>     'Adversity is like a strong wind. I don't mean just that it holds
>       us back from places we might otherwise go. It also tears away from
>       us all but the things that cannot be torn, so that afterward we see
>       ourselves as we really are, and not merely as we might like to be.'
>       - Arthur Golden
>
>     www.Zend.To <http://www.Zend.To>
>     Twitter: @JulesFM
>     PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

Trafalgar: Northwesterly but cyclonic at first in southeast, and later in
north, 4 or 5. Slight or moderate. Occasional rain. Good, occasionally
moderate.

www.Zend.To
Twitter: @JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20180713/78623d32/attachment-0001.html>


More information about the ZendTo mailing list