Search found 30 matches

by TerraFrost
Mon Jul 19, 2010 4:52 am
Forum: [3.x][Archive] RFCs
Topic: [RFC|Accepted] Updated BBcode engine
Replies: 146
Views: 250340

Re: [RFC] Updated BBcode engine

I've committed some more updates. A tentative idea I have for the ACP interface is this: people can add whatever attributes they see fit (close, replace, replace_func, etc). If they do something like replace_func they'll be presented with a dropdown menu where they can select from the currently ...
by TerraFrost
Fri Jun 18, 2010 3:36 am
Forum: [3.x][Archive] RFCs
Topic: [RFC|Accepted] Updated BBcode engine
Replies: 146
Views: 250340

Re: [RFC] Updated BBcode engine

Hey Jim, can you please rename your branch to the proper feature/bbcode (or whatever you want to call the feature). Make sure there is a ticket for this on the tracker and then please use git rebase to edit your commit messages to conform with http://wiki.phpbb.com/display/DEV/Git. Thanks.

It ...
by TerraFrost
Thu Jun 03, 2010 11:55 am
Forum: [3.x][Archive] RFCs
Topic: [RFC|Accepted] Updated BBcode engine
Replies: 146
Views: 250340

Re: [RFC] Updated BBcode engine

Hey Jim, can you please rename your branch to the proper feature/bbcode (or whatever you want to call the feature). Make sure there is a ticket for this on the tracker and then please use git rebase to edit your commit messages to conform with http://wiki.phpbb.com/display/DEV/Git. Thanks.

It ...
by TerraFrost
Thu May 20, 2010 9:24 pm
Forum: [3.x][Archive] RFCs
Topic: [RFC] Javascript password protection
Replies: 14
Views: 43129

Re: [RFC] Javascript password protection

I count 50 kb of javascript code being referenced here and I see references to php libraries for performing cryptography. Who audited all this code and where is a guarantee that it does not have a bug that would allow someone to login with an incorrect password, or with no password?
All the ...
by TerraFrost
Thu May 20, 2010 6:11 pm
Forum: [3.x][Archive] RFCs
Topic: [RFC] Javascript password protection
Replies: 14
Views: 43129

Re: [RFC] Javascript password protection

At least not for the average attacker. And what about average user:
1. Will password masters work in such cases?
If encrypted onsubmit then yes.

2. What about JavaScript-disabled browsers?
No.

3. What about CLDC devices? Will they have enough resources to perform encryption? Native browsers ...
by TerraFrost
Mon May 17, 2010 10:53 pm
Forum: [3.x][Archive] RFCs
Topic: [RFC] Javascript password protection
Replies: 14
Views: 43129

Re: [RFC] Javascript password protection

Additional protection through encryption is reliable. But there is one but.

Encoder (your code) is delivered to end user through the same channel, by which will be transferred encrypted password(which is completely controlled by attacker in any case). What prevents an attacker to completely ...
by TerraFrost
Mon May 17, 2010 8:40 pm
Forum: [3.x][Archive] RFCs
Topic: [RFC] Javascript password protection
Replies: 14
Views: 43129

[RFC] Javascript password protection

Currently, unless you're using SSL/TLS, phpBB submits passwords in plaintext when users login. This isn't much of a problem unless you're on a potentially hostile network (ie. maybe a coffee shop where there's an evil twin or something) but if it is a problem then the phpBB Javascript Password ...
by TerraFrost
Mon May 17, 2010 8:30 pm
Forum: [3.x][Archive] RFCs
Topic: [RFC|Accepted] Updated BBcode engine
Replies: 146
Views: 250340

[RFC|Accepted] Updated BBcode engine

The feature/ascraeus-experiment branch has, among other things, a rewritten BBcode parser that protects against structurally invalid BBcodes. The proposal here is to integrate that parser into the regular develop branch.

To do so, fairly extensive changes to the feature/ascraeus-experiment parser ...
by TerraFrost
Wed Mar 17, 2010 7:54 pm
Forum: [3.0/Olympus] Discussion
Topic: PECL BBCode Extension
Replies: 10
Views: 27256

Re: PECL BBCode Extension

Looking at the bbcode_create() example , I see that the BBCode only permits [b] and [i] as children.

[code][url=http://www.google.com][img]http://www.google.com/images/firefox/personas.png[/img] [/code]

The flip side, of course, is that you also can't use the BBCode to produce broken HTML like ...
by TerraFrost
Wed Mar 10, 2010 11:44 pm
Forum: [3.x][Archive] RFCs
Topic: [RFC] Secure Automatic Upgrades
Replies: 21
Views: 48976

Re: [RFC] Secure Automatic Upgrades

Incidentally, I was thinking about the public key and... maybe it'd be best to use a pgp / gpg formatted public key. The advantage of that is that easily available command line tools can be used to generate signatures and verify signatures (if you don't want phpBB to auto-upgrade). The disadvantage ...