No new logos?
category: general [glöplog]
Quote:
Broderick's logo is much better with a blue background, did you change it Analogue?
Yeah, he asked me to, smart move ;)
Also I wonder how soon will someone notice that you can upload with any filename and use that to hack pouet. Or that you can upload the same logo 1000x times and prolly go unnoticed and get thumbed up 1000 times. ("I thought I thumbed this before?")
Gargaj : ... you...... twat !.... i cant now upload a logo i splent some time on because the script is blocked :D
..ok that was too rude, i was driven by emotions, hopefully this wont happen again :D
Quote:
Also I wonder how soon will someone notice that you can upload with any filename and use that to hack pouet. Or that you can upload the same logo 1000x times and prolly go unnoticed and get thumbed up 1000 times. ("I thought I thumbed this before?")
Yeah, we should lock and moderate everything out so that you all feel like condemned people, all just because someone is paranoïd. Explain me how do you plan to hack pouet by uploading "any" filename exactly ?
well i think garg was talking about uploading php or perl or whatever script and executing it later but i dont think /gfx/logos/ is configured for script execution.
anyway i cnt figure, how can you deal with uploading same logo, no automated method could help because one can basically change filename, and add some bytes to the end of the picture ( as it's handled properly by browsers and 99.9999% of other applications ), thus neither size nor CRC or whatever hash will be the same. you could use sophisticated methods of analyzing image visual parameters, but then pouet will basically halt :D ( ant it'll take you _a while_ to code needed stuff ).
anyway i cnt figure, how can you deal with uploading same logo, no automated method could help because one can basically change filename, and add some bytes to the end of the picture ( as it's handled properly by browsers and 99.9999% of other applications ), thus neither size nor CRC or whatever hash will be the same. you could use sophisticated methods of analyzing image visual parameters, but then pouet will basically halt :D ( ant it'll take you _a while_ to code needed stuff ).
meanwhile, could you please add the following logo ( thx in advance )
so the fact that anyone can upload a file called ".htaccess" and break pouet with a wonderful "INTERNAL SERVER ERROR" is oblivious?
fadeout: submit it yourself.
Gargaj: is it a fact ? I don't know what oblivious means but I know what a fact is, and what you said isn't a fact. I don't know why you make such a fuss about this logo upload feature, it's been five years anyone can upload any file to make it an avatar, and we have yet to see any abuse with it.
Your former tip about the 20 glops awarded was a legit one and I fixed it, thanks. But all this talk about some abuse or imaginative hack looks like some script-kiddie stuff. Pouet isn't some lame PHP-Nuke portal ;)
Gargaj: is it a fact ? I don't know what oblivious means but I know what a fact is, and what you said isn't a fact. I don't know why you make such a fuss about this logo upload feature, it's been five years anyone can upload any file to make it an avatar, and we have yet to see any abuse with it.
Your former tip about the 20 glops awarded was a legit one and I fixed it, thanks. But all this talk about some abuse or imaginative hack looks like some script-kiddie stuff. Pouet isn't some lame PHP-Nuke portal ;)
fadeout: if I check the width and height of the uploaded picture, don't you all think I also need to check for the filetype, because without knowing if it's a GIF or else, how could I know the width and height of the picture ?
analogue: Considering that up to the point of sceneid integration i was able to retrieve any password from the database with a really simple SQL-injection hack (which I mailed you with), I'm not turning a blind-eye over any of the possibilities anymore.
Garg : you mean due to the integration you dont need to login into the databse anymore, it's like a trust-trust link ? now that's i had never understood and never will. some most harmful hacks of past were (ab)using exactly this feature ( be it sql trust or some html metaheader trust in chats/online shops whatsoever ).
analogue : yes, i thing garg has a very right point on this ( especially if you can 'drop' without additional authetication ).
concerning images : i'm sorry i couldn get a single bit of your question. i mean, i did get the question but how is it related ? yes, you obviously do check filetype ( if there is no common library which uses some GetImageParams() and detects filetype itself, i'm not that familiar with you php config here ). even more, you can ( tho erroneously sometimes ) get aware of the filetype by it's extension, yes, so ?
i was talking about any automated method of similar images recognition, which obviously would be too complicated or could be easily bypassed. so by now premoderation seems to be the only solution ( which i was talking before, as it can kill two birds with one stone ie preselection + dupe/fake cutoff ).
thus the simple way would be making some other database table with just-submitted images, to where the recently introduced script would add, and another logos-moderation.php which would be exact copy of logos.php with that difference that it'll be only accessible for gloperators+administrators and it'll show logos from just-added list and simply copy the entry into main logos table on 'approve' press. well, and delete them on 'reject'.
analogue : yes, i thing garg has a very right point on this ( especially if you can 'drop' without additional authetication ).
concerning images : i'm sorry i couldn get a single bit of your question. i mean, i did get the question but how is it related ? yes, you obviously do check filetype ( if there is no common library which uses some GetImageParams() and detects filetype itself, i'm not that familiar with you php config here ). even more, you can ( tho erroneously sometimes ) get aware of the filetype by it's extension, yes, so ?
i was talking about any automated method of similar images recognition, which obviously would be too complicated or could be easily bypassed. so by now premoderation seems to be the only solution ( which i was talking before, as it can kill two birds with one stone ie preselection + dupe/fake cutoff ).
thus the simple way would be making some other database table with just-submitted images, to where the recently introduced script would add, and another logos-moderation.php which would be exact copy of logos.php with that difference that it'll be only accessible for gloperators+administrators and it'll show logos from just-added list and simply copy the entry into main logos table on 'approve' press. well, and delete them on 'reject'.
Ok guys, I'm *NOT* moderating the logo because two of you want two. I'm aware of the security problems uploading a file brings with PHP, but there isn't any here.
Moderating the logos will just slow things down and it won't resolve any security hole with the uploading of files, as files would be uploaded anyway to be moderated.
Finally, Gargaj, Pouet and any other webapps I worked on never kept the passwords uncrypted, and you sound like you could get any password easily in 5 min, it was not the case and you know it, even if with some time you could.
You sound like you own me on code and on security, you are free to, I'm not here to prove anything, and if you think the upload logo or any other feature on pouet is a security risk for its users, prove it. I won't disable any feature because of some paranoïa, I will fix it if I'm brought some facts before my own eyes. Don't assume I code with my feets, thanks.
And you wonder why I'm not working a lot on Pouet now...
Moderating the logos will just slow things down and it won't resolve any security hole with the uploading of files, as files would be uploaded anyway to be moderated.
Finally, Gargaj, Pouet and any other webapps I worked on never kept the passwords uncrypted, and you sound like you could get any password easily in 5 min, it was not the case and you know it, even if with some time you could.
You sound like you own me on code and on security, you are free to, I'm not here to prove anything, and if you think the upload logo or any other feature on pouet is a security risk for its users, prove it. I won't disable any feature because of some paranoïa, I will fix it if I'm brought some facts before my own eyes. Don't assume I code with my feets, thanks.
And you wonder why I'm not working a lot on Pouet now...
Gargaj: I just saw you tried some lame trick already. Insert Coin...
haha... just added a logo, and i saw that i fuxored my transparency... i feel so dumb.
anaaaaaa please :)
is there a way to re-up it ?
anaaaaaa please :)
is there a way to re-up it ?
Ho and btw, i could moderat logo submit, but i don't know if a lot of logos will be accepted ^^;
KENET CUL§1 <3
Quote:
It may be a pain in your ass but I was never a member of that group, but I call (a part of) them friends.( tho madenmann is not that reliable in this case, as he's of ex-metalvotze :D )
Quote:
but I call (a part of) them friends
Eew, you sick bastard!
:-)
Quote:
haha... just added a logo, and i saw that i fuxored my transparency... i feel so dumb.
anaaaaaa please :)
is there a way to re-up it ?
webmaster@pouet.net.
marche pas ton mail
What is the algorythm for picking a logo at page-load time?
Gargaj's idea wasn't the bestest. Some of our most honoured sceners have lost glöps.
would be nice to see HOW MANY people voted a logo down...
btw. the whole voting prozess is after some minutes a pain: It get on your nerves if you have to single-select the logos. What about some checkboxes below the logos with vote up or down and that for all logos you could see on one page in one time?
btw. the whole voting prozess is after some minutes a pain: It get on your nerves if you have to single-select the logos. What about some checkboxes below the logos with vote up or down and that for all logos you could see on one page in one time?
i agree with titus!
