Recherche avancée
Médias (91)
-
Valkaama DVD Cover Outside
4 octobre 2011, par
Mis à jour : Octobre 2011
Langue : English
Type : Image
-
Valkaama DVD Label
4 octobre 2011, par
Mis à jour : Février 2013
Langue : English
Type : Image
-
Valkaama DVD Cover Inside
4 octobre 2011, par
Mis à jour : Octobre 2011
Langue : English
Type : Image
-
1,000,000
27 septembre 2011, par
Mis à jour : Septembre 2011
Langue : English
Type : Audio
-
Demon Seed
26 septembre 2011, par
Mis à jour : Septembre 2011
Langue : English
Type : Audio
-
The Four of Us are Dying
26 septembre 2011, par
Mis à jour : Septembre 2011
Langue : English
Type : Audio
Autres articles (31)
-
Use, discuss, criticize
13 avril 2011, parTalk to people directly involved in MediaSPIP’s development, or to people around you who could use MediaSPIP to share, enhance or develop their creative projects.
The bigger the community, the more MediaSPIP’s potential will be explored and the faster the software will evolve.
A discussion list is available for all exchanges between users. -
MediaSPIP 0.1 Beta version
25 avril 2011, parMediaSPIP 0.1 beta is the first version of MediaSPIP proclaimed as "usable".
The zip file provided here only contains the sources of MediaSPIP in its standalone version.
To get a working installation, you must manually install all-software dependencies on the server.
If you want to use this archive for an installation in "farm mode", you will also need to proceed to other manual (...) -
Les formats acceptés
28 janvier 2010, parLes commandes suivantes permettent d’avoir des informations sur les formats et codecs gérés par l’installation local de ffmpeg :
ffmpeg -codecs ffmpeg -formats
Les format videos acceptés en entrée
Cette liste est non exhaustive, elle met en exergue les principaux formats utilisés : h264 : H.264 / AVC / MPEG-4 AVC / MPEG-4 part 10 m4v : raw MPEG-4 video format flv : Flash Video (FLV) / Sorenson Spark / Sorenson H.263 Theora wmv :
Les formats vidéos de sortie possibles
Dans un premier temps on (...)
Sur d’autres sites (2976)
-
How to limit duration of the video with Dropzonejs ?
26 juin 2015, par SNaReI have a form which I upload videos and duration/length of the video is important.
After I upload the file with PHP, I check the duration of the video file size with
FFMpeg.I calculate duration in PHP and need to send value of the duration via PHP somehow. I think I have to append the duration to
$resultvariable of Json.This is my html
<code class="echappe-js"><script src=<br />
"//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script><script src="https://rawgit.com/enyo/dropzone/master/dist/dropzone.js"></script><script type="text/javascript"><br />
<br />
Dropzone.options.myDropzone = {<br />
<br />
maxFiles: 1,<br />
acceptedFiles: "image/*,video/*",<br />
maxfilesexceeded: function (file) {<br />
this.removeAllFiles();<br />
this.addFile(file);<br />
$('#infomsg').hide();<br />
<br />
},<br />
<br />
init: function () {<br />
$('#infomsg').hide();<br />
<br />
this.on("success", function (result) {<br />
<br />
$('#infomsg').show();<br />
<br />
<br />
$("#boatAddForm").append($('<input type="hidden" ' +<br />
'name="files[]" ' +<br />
'value="' + result.name + '">'));<br />
<br />
});<br />
}<br />
};<br />
<br />
<br />
</script>This is the most minimal example of Dropzone. The upload in this
example doesn’t work, because there is no actual server to handle
the file upload.This is my PHP
<?php
$ds = DIRECTORY_SEPARATOR;
$storeFolder = 'uploads';
if (!empty($_FILES)) {
$tempFile = $_FILES['file']['tmp_name'];
$targetPath = dirname( __FILE__ ) . $ds. $storeFolder . $ds;
$targetFile = $targetPath. $_FILES['file']['name'];
move_uploaded_file($tempFile,$targetFile);
} else {
$result = array();
$files = scandir($storeFolder); //1
if ( false!==$files ) {
foreach ( $files as $file ) {
if ( '.'!=$file && '..'!=$file) { //2
$obj['name'] = $file;
$obj['size'] = filesize($storeFolder.$ds.$file);
$result[] = $obj;
}
}
}
header('Content-type: text/json'); //3
header('Content-type: application/json');
echo json_encode($result);
}If I could check a custom json response right after
Dropzone.options.myDropzone = {like other requirements for success, I won’t have to right if statements in success in order to check the validation.
Basically I want to do it as I do like
maxFiles: 1,without writing any conditions inside success
-
avcodec/vp8 : Do not use num_coeff_partitions in thread/buffer setup
30 septembre 2015, par Michael Niedermayeravcodec/vp8 : Do not use num_coeff_partitions in thread/buffer setup
The variable is not a constant and can lead to race conditions
Fixes : repro.webm (not reproducable with FFmpeg alone)
Found-by : Dale Curtis <dalecurtis@google.com>
Tested-by : Dale Curtis <dalecurtis@google.com>
Signed-off-by : Michael Niedermayer <michael@niedermayer.cc> -
Evolution #3926 : Remplacement de safehtml par le plug htmlpurifier ou autre
17 août 2018, par Guillaume FahrnerAprès avoir passé pas mal de temps à chercher une solution sécurisée ET fonctionnelle, voilà ce à quoi je suis arrivé sans tout casser ou devoir normaliser "100ans d’historique". La version de SPIP utilisé est SPIP 3.2.1 [23954]. En court : j’inverse la logique actuelle et je fais confiance à la sortie de safehtml du plugin Purifier :
j’ai modifié la fonction echapper_html_suspect() de inc/texte_mini.php, la fonction echappe_anti_xss() du plugin textwheel et 2 règles YAML et... c’est tout :
inc/texte_mini.php :
- <span class="CodeRay"><span class="keyword">function</span> <span class="function">echapper_html_suspect</span>(<span class="local-variable">$texte</span>, <span class="local-variable">$strict</span>=<span class="predefined-constant">true</span>) {
- <span class="keyword">if</span> (!<span class="local-variable">$texte</span>
- <span class="keyword">or</span> <span class="predefined">strpos</span>(<span class="local-variable">$texte</span>, <span class="string"><span class="delimiter">'</span><span class="content"><</span><span class="delimiter">'</span></span>) === <span class="predefined-constant">false</span> <span class="keyword">or</span> <span class="predefined">strpos</span>(<span class="local-variable">$texte</span>, <span class="string"><span class="delimiter">'</span><span class="content">=</span><span class="delimiter">'</span></span>) === <span class="predefined-constant">false</span>) {
- <span class="keyword">return</span> <span class="local-variable">$texte</span>;
- }
- <span class="comment">// quand c'est du texte qui passe par propre on est plus coulant tant qu'il y a pas d'attribut du type onxxx=</span>
- <span class="comment">// car sinon on declenche sur les modeles ou ressources</span>
- <span class="keyword">if</span> (!<span class="local-variable">$strict</span> <span class="keyword">and</span>
- (<span class="predefined">strpos</span>(<span class="local-variable">$texte</span>,<span class="string"><span class="delimiter">'</span><span class="content">on</span><span class="delimiter">'</span></span>) === <span class="predefined-constant">false</span> <span class="keyword">or</span> !<span class="predefined">preg_match</span>(<span class="string"><span class="delimiter">"</span><span class="content">,<</span><span class="content">\w</span><span class="content">+.*</span><span class="content">\b</span><span class="content">on</span><span class="content">\w</span><span class="content">+</span><span class="content">\s</span><span class="content">*=,UimsS</span><span class="delimiter">"</span></span>, <span class="local-variable">$texte</span>))
- ){
- <span class="keyword">return</span> <span class="local-variable">$texte</span>;
- }
- <span class="local-variable">$safed_texte</span> = safehtml(<span class="local-variable">$texte</span>);
- <span class="keyword">if</span> (<span class="predefined">strlen</span>(<span class="local-variable">$safed_texte</span>) !== <span class="predefined">strlen</span>(<span class="local-variable">$texte</span>)) {
- <span class="local-variable">$texte</span> = <span class="local-variable">$safed_texte</span>;
- }
- <span class="keyword">return</span> <span class="local-variable">$texte</span>;
- }
- </span>
plugins-dist/textwheel/wheels/spip/echappe-js.php :
- <span class="CodeRay"><span class="keyword">function</span> <span class="function">echappe_anti_xss</span>(<span class="local-variable">$match</span>) {
- <span class="keyword">static</span> <span class="local-variable">$safehtml</span>;
- <span class="keyword">if</span> (!<span class="predefined">is_array</span>(<span class="local-variable">$match</span>) <span class="keyword">or</span> !<span class="predefined">strlen</span>(<span class="local-variable">$match</span>[<span class="integer">0</span>])) {
- <span class="keyword">return</span> <span class="string"><span class="delimiter">"</span><span class="delimiter">"</span></span>;
- }
- <span class="local-variable">$texte</span> = &<span class="local-variable">$match</span>[<span class="integer">0</span>];
- <span class="keyword">if</span> (
- (<span class="predefined">strpos</span>(<span class="local-variable">$texte</span>, <span class="string"><span class="delimiter">"</span><span class="content">:</span><span class="delimiter">"</span></span>) !== <span class="predefined-constant">false</span> <span class="keyword">and</span> <span class="predefined">preg_match</span>(<span class="string"><span class="delimiter">"</span><span class="content">,(data|script)</span><span class="content">\s</span><span class="content">*:,iS</span><span class="delimiter">"</span></span>, <span class="local-variable">$texte</span>) ) <span class="keyword">or</span>
- (<span class="predefined">stripos</span>(<span class="local-variable">$texte</span>, <span class="string"><span class="delimiter">"</span><span class="content">on</span><span class="delimiter">"</span></span>) !== <span class="predefined-constant">false</span> <span class="keyword">and</span> <span class="predefined">preg_match</span>(<span class="string"><span class="delimiter">"</span><span class="content">,</span><span class="content">\b</span><span class="content">on</span><span class="content">\w</span><span class="content">+</span><span class="content">\s</span><span class="content">*=,i</span><span class="delimiter">"</span></span>, <span class="local-variable">$texte</span>) )
- ) {
- <span class="keyword">if</span> (!<span class="predefined">isset</span>(<span class="local-variable">$safehtml</span>)) {
- <span class="local-variable">$safehtml</span> = charger_fonction(<span class="string"><span class="delimiter">'</span><span class="content">safehtml</span><span class="delimiter">'</span></span>, <span class="string"><span class="delimiter">'</span><span class="content">inc</span><span class="delimiter">'</span></span>, <span class="predefined-constant">true</span>);
- }
- <span class="local-variable">$texte</span> = <span class="local-variable">$safehtml</span>(<span class="local-variable">$texte</span>);
- }
- <span class="keyword">return</span> <span class="local-variable">$texte</span>;
- }
- </span>
plugins-dist/textwheel/wheels/spip/echappe-js.yaml :
- <span class="CodeRay">-
- <span class="key">if_str</span>: <span class="string"><span class="delimiter">"</span><span class="content"><code class="echappe-js"><script</span><span class="delimiter">"</span></span> <br />
- <span class="key">match</span>: <span class="string"><span class="delimiter">"</span><span class="content">{<script.*?($|</script.
)isS"
is_wheel : y
replace :
-
type : all
replace : htmlspecialchars
is_callback : Y
-
type : all
replace : nl2br
is_callback : Y
-
type : all
replace : "< ;code class=\"echappe-js\"> ;$0< ;/code> ;"
if_str : "< ;"
match : "< ;[a-z]+.* ?($|> ;)UisS"
is_callback : Y
replace : echappe_anti_xss
plugins-dist/textwheel/wheels/spip/interdire-scripts.yaml :
- <span class="CodeRay"><span class="key">securite-js</span>:
- <span class="key">if_str</span>: <span class="string"><span class="delimiter">"</span><span class="content"><</span><span class="delimiter">"</span></span>
- <span class="key">if_match</span>: <span class="string"><span class="delimiter">"</span><span class="content">/<[a-z]+/iS</span><span class="delimiter">"</span></span>
- <span class="key">type</span>: <span class="string"><span class="content">all</span></span>
- <span class="key">replace</span>: <span class="string"><span class="delimiter">"</span><span class="content">echappe_js</span><span class="delimiter">"</span></span>
- <span class="key">is_callback</span>: <span class="string"><span class="content">Y</span></span>
- </span>
Pour le moment, du coté des effets de bord/choses cassées (nos fonctions sont remplis de spip_log() et on affiche le code impacté par safehtml() pour identifier rapidement les régressions) :
- le changement de statut via le survol des puces (onmouseover inline) n’existe plus car l’attribut onmouseover est supprimé par htmlPurifier (rien de compliqué a fixer à mon sens, mieux cela oblige à développer (très) proprement, jme propose pour le patch si besoin)
Sinon pas de problème, on publie/modifie/supprime nos objets éditoriaux comme d’habitude, leur mise en forme n’a pas bougé, on install/update/supprime nos plugins, stats OK, config OK, etc, etc (cela fait déjà plusieurs jours que nous utilisons ces modifications).
Coté performance, la machine virtuelle est suivi via SNMP/librenms et on ne voit aucune différence d’utilisation CPU (merci le cache SPIP et OPcache) entre avant/après. D’autre part, htmlPurifier n’est pas appelé tout le temps, loin de là, on ne passe que "rarement" les conditions dans echappe_anti_xss().
Coté sécurité :
- les charges javascript https://gist.githubusercontent.com/kurobeats/9a613c9ab68914312cbb415134795b45/raw/954b4d3a29cd0fbeb5b841b54126326a6c14a5c1/xss_vectors.txt ont toutes été testées sans problème
- safehtml($_GET[]) a passé les tests des scanners de vulnérabilité web BURP Pro et Acunetix Web Scanner sans problème
Coté publication :
Cela me semble risqué d’attendre une version majeure de SPIP avant de corriger ces problèmes de sécurité ; surtout que la transition peut se faire doucement en 3.2 avec une nouvelle version de textwheel et le remplacement (enfin) de plugin-dist/safehtml par htmlpurifier.En espérant que ça aide et vous serve de base pour la suite.
g0uZ
Syndiquer tout le site
