I've been trying to get FCKeditor to play a little nicer with Dada Mail and get the File Upload stuff a little more secure The newest version of FCKeditor is actually called CKeditor, but the file upload/browser portion of the script is not free, or free software, so I still sometimes rely on the older FCKeditor

The problem is, FCKeditor's file upload feature is a potential security problem, since it allows an anonymous person to upload files to your hosting account There's checks to what these files can be (which is great), but I think it's simply done by file ending (which is not)

To give FCKeditor credit it tells you to plug in your own session handling stuff, and do not just flip on/override the security it um doesn't have Ok

I first attempted to augment the "Perl" version of the connector and quickly gave up - the Perl code included with FCKeditor is a steaming pile and I wouldn't touch it, or even suggest anyone to use it The red herring is always when there's code in the script itself to attempt to parse a get/post - it's always going to be fraught with errors and I'm sure security issues That's why we have modules, people

What I did find out is, you can't attempt to use Dada Mail's session handling stuff from inside FCKeditor's included Perl connector - it mucks up the connector itself A bug in FCKeditor, I'm thinking Nothing I can do

I then tried to augment the included php connector The code looks better, but it may just look better, since I do not know enough php to know otherwise!

Anyways, the using two languages seems to actually be a blessing, as each program doesn't seem to step on each other's toes

php (like perl) has a system() call, to allow you to call an outside script That outside script for use will be the session checker of Dada Mail It'll let the php connector know if we're logged into a Dada Mail list, or not If we're not, we won't be allowed to use the File Upload stuff

Here's what I've done - it's actually not too too scary -

in FCKeditor's

fckeditor/editor/filemanager/connectors/php/config
php 

file, I've changed the lines,

// SECURITY: You must explicitly enable this "connector" (Set it to "true") // WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only // authenticated users can access this file or use some kind of session checking $Config['Enabled'] = false

to,

// SECURITY: You must explicitly enable this "connector" (Set it to "true") // WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only // authenticated users can access this file or use some kind of session checking

// http://php net/manual/en/function system php
// Note: When safe mode is enabled, you can only execute files within the safe_mode_exec_dir // For practical reasons, it is currently not allowed to have components in the path to the executable

$Config['Enabled'] = system(' /security pl', $retval);

That was easy - excluding the comments, we've changed: 1 line

I then made a small perl script called, "security pl" with the following content:

!/usr/bin/perl

use lib qw( / / / / /cgi-bin/dada / / / / /cgi-bin/dada/DADA/perllib
); use DADA::Config; use DADA::App::Guts;

use CGI; CGI->nph(1) if $DADA::Config::NPH == 1; my $q = new CGI; $q->charset($DADA::Config::HTML_CHARSET); $q = decode_cgi_obj($q);

my ($admin_list, $root_login, $checksout) = DADA::App::Guts::check_list_security( -cgi_obj => $q,
-Function => 'send_email', -manual_override => 1 );

print $checksout;

warn '$checksout ' $checksout;

(I also attached this script)

I saved it in that same directory (fckeditor/editor/filemanager/connectors/php) and changed its permissions to, "755"

and, that's it - although you may very well have to change the, "use lib" paths This assumes a similar situation to the below:

FCKeditor is installed in: /home/youraccount/public_html/fckeditor

Dada Mail is install in: /home/youracccount/public_html/cgi-bin/dada

I then followed the instructions to get FCKeditor's file upload feature working:

http://dadamailproject com/support/documentation-4_0_4/FAQ-general pod html#how_do_i_get_the_file_browser_working_in_fckeditor

Skipping over this part:

quote: The first variable:

    $Config['Enabled'] = false ;

Simply has to be set to, true /quote

That's all there is to it

If anyone is interested in this, and would like to try this themselves, that would be pretty cool I may polish the above up and add it to the docs for the next release