Quantcast

[Tiki-devel] problem running doc/devtools/svnup.sh

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Tiki-devel] problem running doc/devtools/svnup.sh

Geoff - Enmore Services

Hi – I do a standard overnight update to all my test sites with a cron that runs svnup.sh – I’ve been doing this for ages

 

But I’ve just noticed that for my trunk test site (uses php7.0 and is up to date at r61355) I’m getting these errors that I do not understand – I’ve not checked my other test sites yet so I don’t know if they are doing the same - I’ve deleted some of the path characters in the output below to protect the innocent J

 

Warning: mysqli_connect(): (HY000/2002): No such file or directory in /xxxxxx/opendev4.enmoreservices.com/doc/devtools/release.php on line 299

SecDB step failed because some filenames need escaping but no MySQL connection has been found (No such file or directory).

Try this command line instead (replace HOST, USER and PASS by a valid MySQL host, user and password) :

 

        /usr/local/php70/bin/php -d mysqli.default_host=HOST -d mysqli.default_user=USER -d mysqli.default_pw=PASS doc/devtools/release.php --only-secdb --no-check-svn

 

Fatal: Cannot open /xxxxxxx/opendev4.enmoreservices.com/installer/../db/tiki-secdb_17.0svn_mysql.sql

 

 

Looks like release.php has been updated recently – do I have to do something different??

 

Any suggestions?

 

Thanks

 

geoff

 

 

No virus found in this message.
Checked by AVG - www.avg.com
Version: 2016.0.7998 / Virus Database: 4756/14004 - Release Date: 02/23/17


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Tiki-devel] problem running doc/devtools/svnup.sh

Cloutier, Philippe (RESSOURCE EXTERNE)

Hi Geoff,

See inline questions.

 

 

De : Geoff - Enmore Services [mailto:[hidden email]]
Envoyé : 23 février 2017 06:12
À : 'Tiki developers' <[hidden email]>
Objet : [Tiki-devel] problem running doc/devtools/svnup.sh

 

Hi – I do a standard overnight update to all my test sites with a cron that runs svnup.sh – I’ve been doing this for ages

 

But I’ve just noticed that for my trunk test site (uses php7.0 and is up to date at r61355) I’m getting these errors that I do not understand – I’ve not checked my other test sites yet so I don’t know if they are doing the same - I’ve deleted some of the path characters in the output below to protect the innocent J

 

Warning: mysqli_connect(): (HY000/2002): No such file or directory in /xxxxxx/opendev4.enmoreservices.com/doc/devtools/release.php on line 299

SecDB step failed because some filenames need escaping but no MySQL connection has been found (No such file or directory).

Try this command line instead (replace HOST, USER and PASS by a valid MySQL host, user and password) :

 

        /usr/local/php70/bin/php -d mysqli.default_host=HOST -d mysqli.default_user=USER -d mysqli.default_pw=PASS doc/devtools/release.php --only-secdb --no-check-svn

 

Fatal: Cannot open /xxxxxxx/opendev4.enmoreservices.com/installer/../db/tiki-secdb_17.0svn_mysql.sql

 

 

Looks like release.php has been updated recently – do I have to do something different??

[Philippe Cloutier] Which update are you referring to?

 

Any suggestions?

[Philippe Cloutier] Try “downdating” to before the change?

 

Thanks

 

geoff

 

 

No virus found in this message.
Checked by AVG - www.avg.com
Version: 2016.0.7998 / Virus Database: 4756/14004 - Release Date: 02/23/17


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Tiki-devel] problem running doc/devtools/svnup.sh

Jonny Bradley-4
In reply to this post by Geoff - Enmore Services
Hi Geoff

Nice to get some feedback about these things! :)

A while ago i added a call to update the secdb file when running svnup.sh so that we could detect file modifications on svn checkouts like we can on release tarball-installed tiki (as discussed in another place), and part of that function was a call to a somewhat deprecated mysql function to escape filenames (mysqli_real_escape_string) before storing them in the database, however, by my reckoning no standard tiki files actually need escaping like that and so i'm surprised you're getting this error - do you have any custom files with "weird" characters in the filenames (like not plain ascii)?

This runs fine on all my tikis, i guess i should add the filename to that error message, which would help track this down...

Meanwhile you could comment out line 42 of svnup.sh i guess - sorry about that ;)

jonny






> On 23 Feb 2017, at 11:11, Geoff - Enmore Services <[hidden email]> wrote:
>
> Hi – I do a standard overnight update to all my test sites with a cron that runs svnup.sh – I’ve been doing this for ages
>  
> But I’ve just noticed that for my trunk test site (uses php7.0 and is up to date at r61355) I’m getting these errors that I do not understand – I’ve not checked my other test sites yet so I don’t know if they are doing the same - I’ve deleted some of the path characters in the output below to protect the innocent J
>  
> Warning: mysqli_connect(): (HY000/2002): No such file or directory in /xxxxxx/opendev4.enmoreservices.com/doc/devtools/release.php on line 299
> SecDB step failed because some filenames need escaping but no MySQL connection has been found (No such file or directory).
> Try this command line instead (replace HOST, USER and PASS by a valid MySQL host, user and password) :
>  
>         /usr/local/php70/bin/php -d mysqli.default_host=HOST -d mysqli.default_user=USER -d mysqli.default_pw=PASS doc/devtools/release.php --only-secdb --no-check-svn
>  
> Fatal: Cannot open /xxxxxxx/opendev4.enmoreservices.com/installer/../db/tiki-secdb_17.0svn_mysql.sql
>  
>  
> Looks like release.php has been updated recently – do I have to do something different??
>  
> Any suggestions?
>  
> Thanks
>  
> geoff
>  
>  
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2016.0.7998 / Virus Database: 4756/14004 - Release Date: 02/23/17
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot_______________________________________________
> TikiWiki-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Tiki-devel] problem running doc/devtools/svnup.sh

Cloutier, Philippe (RESSOURCE EXTERNE)
Jonny, the error is not due to non-ASCII characters. md5_check_dir() calls mysqli_real_escape_string() unconditionally in case the string needs to be escaped. mysqli_real_escape_string() is called whether or not the string contains non-ASCII characters. The question is why mysql_connect() fails. I would guess Geoff's php-cli does not have the mysqli extension enabled.

By the way, I find it poor that svnup.sh depends on release.php. It would be best to move the share code in some library (but which file?).

Philippe Cloutier
Développeur/configurateur Tiki
Service des systèmes d’information du Registre foncier
Direction des systèmes d’information
Direction générale du soutien aux opérations
Ministère de l'Énergie et des Ressources naturelles
Québec (Québec)  G1H 6R1
Téléphone : 418 627-6282, poste 2209
[hidden email]
mern.gouv.qc.ca


-----Message d'origine-----
De : Jonny Bradley [mailto:[hidden email]]
Envoyé : 23 février 2017 10:06
À : Tiki developers <[hidden email]>
Objet : Re: [Tiki-devel] problem running doc/devtools/svnup.sh

Hi Geoff

Nice to get some feedback about these things! :)

A while ago i added a call to update the secdb file when running svnup.sh so that we could detect file modifications on svn checkouts like we can on release tarball-installed tiki (as discussed in another place), and part of that function was a call to a somewhat deprecated mysql function to escape filenames (mysqli_real_escape_string) before storing them in the database, however, by my reckoning no standard tiki files actually need escaping like that and so i'm surprised you're getting this error - do you have any custom files with "weird" characters in the filenames (like not plain ascii)?

This runs fine on all my tikis, i guess i should add the filename to that error message, which would help track this down...

Meanwhile you could comment out line 42 of svnup.sh i guess - sorry about that ;)

jonny






> On 23 Feb 2017, at 11:11, Geoff - Enmore Services <[hidden email]> wrote:
>
> Hi – I do a standard overnight update to all my test sites with a cron
> that runs svnup.sh – I’ve been doing this for ages
>  
> But I’ve just noticed that for my trunk test site (uses php7.0 and is
> up to date at r61355) I’m getting these errors that I do not
> understand – I’ve not checked my other test sites yet so I don’t know
> if they are doing the same - I’ve deleted some of the path characters
> in the output below to protect the innocent J
>  
> Warning: mysqli_connect(): (HY000/2002): No such file or directory in
> /xxxxxx/opendev4.enmoreservices.com/doc/devtools/release.php on line 299 SecDB step failed because some filenames need escaping but no MySQL connection has been found (No such file or directory).
> Try this command line instead (replace HOST, USER and PASS by a valid MySQL host, user and password) :
>  
>         /usr/local/php70/bin/php -d mysqli.default_host=HOST -d
> mysqli.default_user=USER -d mysqli.default_pw=PASS
> doc/devtools/release.php --only-secdb --no-check-svn
>  
> Fatal: Cannot open
> /xxxxxxx/opendev4.enmoreservices.com/installer/../db/tiki-secdb_17.0sv
> n_mysql.sql
>  
>  
> Looks like release.php has been updated recently – do I have to do something different??
>  
> Any suggestions?
>  
> Thanks
>  
> geoff
>  
>  
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2016.0.7998 / Virus Database: 4756/14004 - Release Date:
> 02/23/17
>
> ----------------------------------------------------------------------
> -------- Check out the vibrant tech community on one of the world's
> most engaging tech sites, SlashDot.org!
> http://sdm.link/slashdot______________________________________________
> _
> TikiWiki-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Tiki-devel] problem running doc/devtools/svnup.sh

Jonny Bradley-4
Hi Chealer,

That's odd, i thought i put a preg_match test before the call to mysqli_real_escape_string for it not to bother if the filename was just "normal" chars in r59465, but maybe i got it wrong? (it looks like that to me, test on line 296, mysqli_connect on line 299, no?

Regarding it being "poor" that it depends on a file in doc/devtools, i decided this was probably ok because a: it is already a file in doc/devtools and b: it's only relevant to svn checkouts and c: it was the quickest easiest thing to do with the limited time i have available for (volunteer) security work.

There are three functions in tiki called md5_check_dir which all appear slightly different, and the other two seemed to be broken and/or unused. I agree, a proper refactoring and tidy-up would be good in this respect.

I did email the security list about this on 18 August 2016, but received no replies or feedback until now (i know you weren't around then, we've missed you! ;)

jonny



> On 2 Mar 2017, at 19:09, Cloutier, Philippe (RESSOURCE EXTERNE) <[hidden email]> wrote:
>
> Jonny, the error is not due to non-ASCII characters. md5_check_dir() calls mysqli_real_escape_string() unconditionally in case the string needs to be escaped. mysqli_real_escape_string() is called whether or not the string contains non-ASCII characters. The question is why mysql_connect() fails. I would guess Geoff's php-cli does not have the mysqli extension enabled.
>
> By the way, I find it poor that svnup.sh depends on release.php. It would be best to move the share code in some library (but which file?).
>
> Philippe Cloutier
> Développeur/configurateur Tiki
> Service des systèmes d’information du Registre foncier
> Direction des systèmes d’information
> Direction générale du soutien aux opérations
> Ministère de l'Énergie et des Ressources naturelles
> Québec (Québec)  G1H 6R1
> Téléphone : 418 627-6282, poste 2209
> [hidden email]
> mern.gouv.qc.ca
>
>
> -----Message d'origine-----
> De : Jonny Bradley [mailto:[hidden email]]
> Envoyé : 23 février 2017 10:06
> À : Tiki developers <[hidden email]>
> Objet : Re: [Tiki-devel] problem running doc/devtools/svnup.sh
>
> Hi Geoff
>
> Nice to get some feedback about these things! :)
>
> A while ago i added a call to update the secdb file when running svnup.sh so that we could detect file modifications on svn checkouts like we can on release tarball-installed tiki (as discussed in another place), and part of that function was a call to a somewhat deprecated mysql function to escape filenames (mysqli_real_escape_string) before storing them in the database, however, by my reckoning no standard tiki files actually need escaping like that and so i'm surprised you're getting this error - do you have any custom files with "weird" characters in the filenames (like not plain ascii)?
>
> This runs fine on all my tikis, i guess i should add the filename to that error message, which would help track this down...
>
> Meanwhile you could comment out line 42 of svnup.sh i guess - sorry about that ;)
>
> jonny
>
>
>
>
>
>
>> On 23 Feb 2017, at 11:11, Geoff - Enmore Services <[hidden email]> wrote:
>>
>> Hi – I do a standard overnight update to all my test sites with a cron
>> that runs svnup.sh – I’ve been doing this for ages
>>
>> But I’ve just noticed that for my trunk test site (uses php7.0 and is
>> up to date at r61355) I’m getting these errors that I do not
>> understand – I’ve not checked my other test sites yet so I don’t know
>> if they are doing the same - I’ve deleted some of the path characters
>> in the output below to protect the innocent J
>>
>> Warning: mysqli_connect(): (HY000/2002): No such file or directory in
>> /xxxxxx/opendev4.enmoreservices.com/doc/devtools/release.php on line 299 SecDB step failed because some filenames need escaping but no MySQL connection has been found (No such file or directory).
>> Try this command line instead (replace HOST, USER and PASS by a valid MySQL host, user and password) :
>>
>>        /usr/local/php70/bin/php -d mysqli.default_host=HOST -d
>> mysqli.default_user=USER -d mysqli.default_pw=PASS
>> doc/devtools/release.php --only-secdb --no-check-svn
>>
>> Fatal: Cannot open
>> /xxxxxxx/opendev4.enmoreservices.com/installer/../db/tiki-secdb_17.0sv
>> n_mysql.sql
>>
>>
>> Looks like release.php has been updated recently – do I have to do something different??
>>
>> Any suggestions?
>>
>> Thanks
>>
>> geoff
>>
>>
>> No virus found in this message.
>> Checked by AVG - www.avg.com
>> Version: 2016.0.7998 / Virus Database: 4756/14004 - Release Date:
>> 02/23/17
>>
>> ----------------------------------------------------------------------
>> -------- Check out the vibrant tech community on one of the world's
>> most engaging tech sites, SlashDot.org!
>> http://sdm.link/slashdot______________________________________________
>> _
>> TikiWiki-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________
> TikiWiki-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> TikiWiki-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Tiki-devel] problem running doc/devtools/svnup.sh

Geoff - Enmore Services
Hi - I thought I'd better give an update from me as I sort of instigated this thread by reporting a problem I was having with one of my test sites (for trunk)

These test sites go back a long time and have been upgraded through many versions of Tiki but are generally quite stable.

For the trunk test site however it got worse and worse with more fatal errors occurring so that in the end I deleted all the code and did a fresh checkout, 'booted' it from the existing database and reran svnup.sh to get all the 3rd party stuff etc.

 - and guess what, it has all run fine since then

I can't explain what went wrong but a good clear out sorted it

g

-----Original Message-----
From: Jonny Bradley [mailto:[hidden email]]
Sent: 03 March 2017 10:22
To: Tiki developers <[hidden email]>
Subject: Re: [Tiki-devel] problem running doc/devtools/svnup.sh

Hi Chealer,

That's odd, i thought i put a preg_match test before the call to mysqli_real_escape_string for it not to bother if the filename was just "normal" chars in r59465, but maybe i got it wrong? (it looks like that to me, test on line 296, mysqli_connect on line 299, no?

Regarding it being "poor" that it depends on a file in doc/devtools, i decided this was probably ok because a: it is already a file in doc/devtools and b: it's only relevant to svn checkouts and c: it was the quickest easiest thing to do with the limited time i have available for (volunteer) security work.

There are three functions in tiki called md5_check_dir which all appear slightly different, and the other two seemed to be broken and/or unused. I agree, a proper refactoring and tidy-up would be good in this respect.

I did email the security list about this on 18 August 2016, but received no replies or feedback until now (i know you weren't around then, we've missed you! ;)

jonny



> On 2 Mar 2017, at 19:09, Cloutier, Philippe (RESSOURCE EXTERNE) <[hidden email]> wrote:
>
> Jonny, the error is not due to non-ASCII characters. md5_check_dir() calls mysqli_real_escape_string() unconditionally in case the string needs to be escaped. mysqli_real_escape_string() is called whether or not the string contains non-ASCII characters. The question is why mysql_connect() fails. I would guess Geoff's php-cli does not have the mysqli extension enabled.
>
> By the way, I find it poor that svnup.sh depends on release.php. It would be best to move the share code in some library (but which file?).
>
> Philippe Cloutier
> Développeur/configurateur Tiki
> Service des systèmes d’information du Registre foncier Direction des
> systèmes d’information Direction générale du soutien aux opérations
> Ministère de l'Énergie et des Ressources naturelles Québec (Québec)  
> G1H 6R1 Téléphone : 418 627-6282, poste 2209
> [hidden email]
> mern.gouv.qc.ca
>
>
> -----Message d'origine-----
> De : Jonny Bradley [mailto:[hidden email]]
> Envoyé : 23 février 2017 10:06
> À : Tiki developers <[hidden email]>
> Objet : Re: [Tiki-devel] problem running doc/devtools/svnup.sh
>
> Hi Geoff
>
> Nice to get some feedback about these things! :)
>
> A while ago i added a call to update the secdb file when running svnup.sh so that we could detect file modifications on svn checkouts like we can on release tarball-installed tiki (as discussed in another place), and part of that function was a call to a somewhat deprecated mysql function to escape filenames (mysqli_real_escape_string) before storing them in the database, however, by my reckoning no standard tiki files actually need escaping like that and so i'm surprised you're getting this error - do you have any custom files with "weird" characters in the filenames (like not plain ascii)?
>
> This runs fine on all my tikis, i guess i should add the filename to that error message, which would help track this down...
>
> Meanwhile you could comment out line 42 of svnup.sh i guess - sorry about that ;)
>
> jonny
>
>
>
>
>
>
>> On 23 Feb 2017, at 11:11, Geoff - Enmore Services <[hidden email]> wrote:
>>
>> Hi – I do a standard overnight update to all my test sites with a cron
>> that runs svnup.sh – I’ve been doing this for ages
>>
>> But I’ve just noticed that for my trunk test site (uses php7.0 and is
>> up to date at r61355) I’m getting these errors that I do not
>> understand – I’ve not checked my other test sites yet so I don’t know
>> if they are doing the same - I’ve deleted some of the path characters
>> in the output below to protect the innocent J
>>
>> Warning: mysqli_connect(): (HY000/2002): No such file or directory in
>> /xxxxxx/opendev4.enmoreservices.com/doc/devtools/release.php on line 299 SecDB step failed because some filenames need escaping but no MySQL connection has been found (No such file or directory).
>> Try this command line instead (replace HOST, USER and PASS by a valid MySQL host, user and password) :
>>
>>        /usr/local/php70/bin/php -d mysqli.default_host=HOST -d
>> mysqli.default_user=USER -d mysqli.default_pw=PASS
>> doc/devtools/release.php --only-secdb --no-check-svn
>>
>> Fatal: Cannot open
>> /xxxxxxx/opendev4.enmoreservices.com/installer/../db/tiki-secdb_17.0sv
>> n_mysql.sql
>>
>>
>> Looks like release.php has been updated recently – do I have to do something different??
>>
>> Any suggestions?
>>
>> Thanks
>>
>> geoff
>>
>>
>> No virus found in this message.
>> Checked by AVG - www.avg.com
>> Version: 2016.0.7998 / Virus Database: 4756/14004 - Release Date:
>> 02/23/17
>>
>> ----------------------------------------------------------------------
>> -------- Check out the vibrant tech community on one of the world's
>> most engaging tech sites, SlashDot.org!
>> http://sdm.link/slashdot______________________________________________
>> _
>> TikiWiki-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________
> TikiWiki-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> TikiWiki-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel


-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2016.0.7998 / Virus Database: 4756/14048 - Release Date: 03/02/17




-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2016.0.7998 / Virus Database: 4756/14048 - Release Date: 03/02/17




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Tiki-devel] problem running doc/devtools/svnup.sh

Cloutier, Philippe (RESSOURCE EXTERNE)
In reply to this post by Jonny Bradley-4
Hi Jonny,
You must be correct about mysqli_real_escape_string(). I was basing my comment on a careless reading of the code. I apologize.

Philippe Cloutier
Développeur/configurateur Tiki
Service des systèmes d’information du Registre foncier
Direction des systèmes d’information
Direction générale du soutien aux opérations
Ministère de l'Énergie et des Ressources naturelles
Québec (Québec)  G1H 6R1
Téléphone : 418 627-6282, poste 2209
[hidden email]
mern.gouv.qc.ca


-----Message d'origine-----
De : Jonny Bradley [mailto:[hidden email]]
Envoyé : 3 mars 2017 05:22
À : Tiki developers <[hidden email]>
Objet : Re: [Tiki-devel] problem running doc/devtools/svnup.sh

Hi Chealer,

That's odd, i thought i put a preg_match test before the call to mysqli_real_escape_string for it not to bother if the filename was just "normal" chars in r59465, but maybe i got it wrong? (it looks like that to me, test on line 296, mysqli_connect on line 299, no?

Regarding it being "poor" that it depends on a file in doc/devtools, i decided this was probably ok because a: it is already a file in doc/devtools and b: it's only relevant to svn checkouts and c: it was the quickest easiest thing to do with the limited time i have available for (volunteer) security work.

There are three functions in tiki called md5_check_dir which all appear slightly different, and the other two seemed to be broken and/or unused. I agree, a proper refactoring and tidy-up would be good in this respect.

I did email the security list about this on 18 August 2016, but received no replies or feedback until now (i know you weren't around then, we've missed you! ;)

jonny



> On 2 Mar 2017, at 19:09, Cloutier, Philippe (RESSOURCE EXTERNE) <[hidden email]> wrote:
>
> Jonny, the error is not due to non-ASCII characters. md5_check_dir() calls mysqli_real_escape_string() unconditionally in case the string needs to be escaped. mysqli_real_escape_string() is called whether or not the string contains non-ASCII characters. The question is why mysql_connect() fails. I would guess Geoff's php-cli does not have the mysqli extension enabled.
>
> By the way, I find it poor that svnup.sh depends on release.php. It would be best to move the share code in some library (but which file?).
>
> Philippe Cloutier
> Développeur/configurateur Tiki
> Service des systèmes d’information du Registre foncier Direction des
> systèmes d’information Direction générale du soutien aux opérations
> Ministère de l'Énergie et des Ressources naturelles Québec (Québec)  
> G1H 6R1 Téléphone : 418 627-6282, poste 2209
> [hidden email]
> mern.gouv.qc.ca
>
>
> -----Message d'origine-----
> De : Jonny Bradley [mailto:[hidden email]]
> Envoyé : 23 février 2017 10:06
> À : Tiki developers <[hidden email]>
> Objet : Re: [Tiki-devel] problem running doc/devtools/svnup.sh
>
> Hi Geoff
>
> Nice to get some feedback about these things! :)
>
> A while ago i added a call to update the secdb file when running svnup.sh so that we could detect file modifications on svn checkouts like we can on release tarball-installed tiki (as discussed in another place), and part of that function was a call to a somewhat deprecated mysql function to escape filenames (mysqli_real_escape_string) before storing them in the database, however, by my reckoning no standard tiki files actually need escaping like that and so i'm surprised you're getting this error - do you have any custom files with "weird" characters in the filenames (like not plain ascii)?
>
> This runs fine on all my tikis, i guess i should add the filename to that error message, which would help track this down...
>
> Meanwhile you could comment out line 42 of svnup.sh i guess - sorry about that ;)
>
> jonny
>
>
>
>
>
>
>> On 23 Feb 2017, at 11:11, Geoff - Enmore Services <[hidden email]> wrote:
>>
>> Hi – I do a standard overnight update to all my test sites with a cron
>> that runs svnup.sh – I’ve been doing this for ages
>>
>> But I’ve just noticed that for my trunk test site (uses php7.0 and is
>> up to date at r61355) I’m getting these errors that I do not
>> understand – I’ve not checked my other test sites yet so I don’t know
>> if they are doing the same - I’ve deleted some of the path characters
>> in the output below to protect the innocent J
>>
>> Warning: mysqli_connect(): (HY000/2002): No such file or directory in
>> /xxxxxx/opendev4.enmoreservices.com/doc/devtools/release.php on line 299 SecDB step failed because some filenames need escaping but no MySQL connection has been found (No such file or directory).
>> Try this command line instead (replace HOST, USER and PASS by a valid MySQL host, user and password) :
>>
>>        /usr/local/php70/bin/php -d mysqli.default_host=HOST -d
>> mysqli.default_user=USER -d mysqli.default_pw=PASS
>> doc/devtools/release.php --only-secdb --no-check-svn
>>
>> Fatal: Cannot open
>> /xxxxxxx/opendev4.enmoreservices.com/installer/../db/tiki-secdb_17.0sv
>> n_mysql.sql
>>
>>
>> Looks like release.php has been updated recently – do I have to do something different??
>>
>> Any suggestions?
>>
>> Thanks
>>
>> geoff
>>
>>
>> No virus found in this message.
>> Checked by AVG - www.avg.com
>> Version: 2016.0.7998 / Virus Database: 4756/14004 - Release Date:
>> 02/23/17
>>
>> ----------------------------------------------------------------------
>> -------- Check out the vibrant tech community on one of the world's
>> most engaging tech sites, SlashDot.org!
>> http://sdm.link/slashdot______________________________________________
>> _
>> TikiWiki-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________
> TikiWiki-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> TikiWiki-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Tiki-devel] problem running doc/devtools/svnup.sh

Jonny Bradley-4

> On 3 Mar 2017, at 15:19, Cloutier, Philippe (RESSOURCE EXTERNE) <[hidden email]> wrote:
>
> Hi Jonny,
> You must be correct about mysqli_real_escape_string(). I was basing my comment on a careless reading of the code. I apologize.

...and i apologise for my unforgivable lack of comments! Thanks for r61469 ;)

jb


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Tiki-devel] problem running doc/devtools/svnup.sh

Cloutier, Philippe (RESSOURCE EXTERNE)
It really more an excuse to remove a superfluous line. We have areas which need comments 10 times more than that simple function which I somehow managed to misread anyway!

Philippe Cloutier
Développeur/configurateur Tiki
Service des systèmes d'information du Registre foncier
Direction des systèmes d'information
Direction générale du soutien aux opérations
Ministère de l'Énergie et des Ressources naturelles
Québec (Québec)  G1H 6R1
Téléphone : 418 627-6282, poste 2209
[hidden email]
mern.gouv.qc.ca


-----Message d'origine-----
De : Jonny Bradley [mailto:[hidden email]]
Envoyé : 3 mars 2017 10:58
À : Tiki developers <[hidden email]>
Objet : Re: [Tiki-devel] problem running doc/devtools/svnup.sh


> On 3 Mar 2017, at 15:19, Cloutier, Philippe (RESSOURCE EXTERNE) <[hidden email]> wrote:
>
> Hi Jonny,
> You must be correct about mysqli_real_escape_string(). I was basing my comment on a careless reading of the code. I apologize.

...and i apologise for my unforgivable lack of comments! Thanks for r61469 ;)

jb


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
Loading...