I am moving into a production environment and the following is set:
error_reporting(E_ALL & ~E_NOTICE);
ini_set('display_errors', 0);
ini_set('log_errors', 1);
defined('YII_DEBUG') or define('YII_DEBUG', false);
defined('YII_ENV') or define('YII_ENV', 'prod');
defined('YII_ENABLE_ERROR_HANDLER') or define('YII_ENABLE_ERROR_HANDLER', false);
defined('YII_ENABLE_EXCEPTION_HANDLER') or define('YII_ENABLE_EXCEPTION_HANDLER', false);
However, I have noticed that Yii will still show that big beautiful stack trace filled with all sorts of goodies.
I know the best way to overcome this is to actually write sound code, however, that is not always possible when dealing with mischievous individuals.
Using:
Apache/2.4.27 (Amazon) PHP/7.0.25
Yii Framework/2.0.8
Testing:
<?php
ThisFunctionDoesNotExist();
?>
Although, everything seems to be correct, it doesnt work. I am having similar issues as this guy: http://www.yiiframework.com/forum/index.php/topic/22583-yii-debug-false-shows-php-notice-errors-and-stops/
defined('YII_ENV') or define('YII_ENV', 'prod');
http://www.yiiframework.com/doc-2.0/guide-concept-configurations.html#environment-constants
Related
So we have a little php web app that, among other things, allows the colleagues to export all the info into a pdf and download it.
This was done with wkhtmltopdf and the PDF was previously immediately forced to download, as in the "Save As" dialog would pop up instead of trying to open it in the browser, etc.
Headers included:
header('Content-Type: application/force-download');
header('Content-Type: application/octet-stream', false);
header('Content-Type: application/download', false);
header('Content-Type: application/pdf', false);
header('Content-Disposition: attachment; filename="' . basename($file) . '";');
header('Content-Transfer-Encoding: binary');
Now with the latest Chrome Update (71.0.3578.98) the PDF does not SEEM to be generated at all. It is not "force downloaded" or even shown in the browser, however via file->save as or the keyboard shortcut (ctrl+s) you can save it, so it is still generated, just not displayed in any way..
I noticed if I unregister the service worker on our page, it behaves as it had before the chrome update.
Ive tested this on a few colleagues computers, some with that newest version of Chrome, others before the update, and am 99.9% sure that is the culprit. What exactly made this change in behavior occur though, I am not sure.
Any idea how to get around this and have it "force" download again? Can I blacklist pdfs from the service worker somehow?
EDIT: Can also confirm this behavior from the following Chrome version: 72.0.3626.7 (Developer Build)
Alright so this was kinda quick, and I'd generally just delete this, but I have a sneaking suspicion this might come up more often for others as soon as this Chrome update starts being applied in more places.
So this might not be a legitimate "fix" for this, but by adding a few lines to my serviceworkers fetch block I was able to exclude the URLs which generate PDFs and therefore the download was again offered up as normal.
i.e.
self.addEventListener('fetch', function(event) {
// Here you can use indexOf or a regex if you'd like
if ( event.request.url.indexOf( '/format/pdf/' ) !== -1 ) {
return false;
} else {
event.respondWith(
caches.match(event.request).then(function(response) {
return response || fetch(event.request);
})
);
}
});
The error is:
'_Token' was not found in request data.
It happens on the redirect at the end of an action
I went through the debug and i can see that its coming from a function called _validToken()
I've no idea why this particular controller is doing this though as i have others that do similar actions and are working perfectly
The action that triggers this does everything it's supposed to right up to the redirect at the end
The problem was not evident until i implemented ssl so it could have been there the whole time waiting to pounce!
I've only just started using the security component and i could really do with a few pointers, so if anyone out there could nudge me in the right direction i'd really appreciate it.
Cheers
So i figured this out eventually
It was such a simple problem
I had something like this at the end of my form:
<?=
$this->Form->button(__('Submit'));
$this->Form->end() ;
?>
It works. It also works when you turn on auth. But it stops working as soon as you load the security component
Change it to this:
<?= $this->Form->button(__('Submit')) ?>
<?= $this->Form->end() ?>
And it works with the security component
Silly mistake i suppose but hard to find because it worked fine for most if the development process and then broke when i added the security component!
I have the following written in a driver:
add_action( 'wp_enqueue_scripts', 'add_css_file' );
function add_css_file()
{
// Tried this prior:
// $path = ABSPATH . "/wp-content/plugins/this_plugin/css/";
// wp_register_style( 'css_file', $path.'css_file.css' );
wp_register_style( 'css_file', 'http://subdomain.mysite.com/wp-content/plugins/this_plugin/css/css_file.css' );
wp_enqueue_style( 'css_file' );
}
The string "css_file" does not appear in the View Source HTML and the CSS rules defined therein do not take effect.
Have you included wp_head() in the <head> of your page? wp_head() will add your queued styles and scripts to the page.
The problem for me lay in the fact that I am modifying the Admin screen rather than the display of a Page or Post to viewers.
Replace:
wp_enqueue_script(...)
With:
admin_enqueue_script(...)
Best of luck.
I have just tried this snippet in my site, and it is working properly. You may get conflict with some other plugin/code.
Also make sure you don't have any Cache enabled, and if so, try to clean up the cache. Also try to clean out your browser cache.
Finally, if non of the above works for you, try to de-activate your plugins, one by one in order to see if some of the plugins conflicts with this function, and in last step try to change theme, also to make sure the current theme doesn't conflict with this function.
I'm trying to create a PHP webpage that allow the visitor to see a video stream or an image coming from a webcam without allowing the visitors to grab it's original URL/URI.
In other words, I have an ip camera operating at a given address:port and I can see the stream embedding in a HTML body something like this:
<img src="http://5.246.77.89:8080/videostream.cgi?user=myusername&pwd=mypass&resolution=32&rate=15" alt="">
or alternatively if we want a static image:
<img src="http://5.246.77.89:8080/snapshot.cgi?user=myusername&pwd=mypass&" alt="">
Now the problem is that if anyone look at the HTML code behind the page will see the URL of the camera along with its user/password credentials, obviously. This allow the visitor to connect to the camera at any time even without having to go on the page that is hosting this service, they just need to type into any browser to the URL
http://myip:myport/videostream.cgi?user=admin&pwd=fewf2d53BVH&resolution=32&rate=15
I don't want that the user is able to do that. So I had an idea: If I'm able to wrap the stream into a php webpage acting as a 'man-in-the-middle' I can give the visitor the video without letting them know the original source. The original IP:PORT will be visible only from my server. Obviously they will always be able to use the URL of my webpage but they will never see the user/password of the camera and I can lock the service out at any time.
Furthermore to improve security I can setup the router hosting the webcam to accept connections coming from my webserver only. This will act as a stealth against malicious users attempting to connect directly to the webcabm.
What can I do on the server-side to obtain this behaviour?
Well, at least for images you could use curl...
As I've pointed out in the comments, you may create a php file (say, my.php) containing something like the following:
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'http://example.com/?password=4444&login=1111');
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_BINARYTRANSFER,1);
$picture = curl_exec($ch);
curl_close($ch);
//Display the image in the browser
header('Content-type: image/jpeg');
echo $picture;
and than just write:
<img src='my.php'>
P.S. Although I believe it is NOT the best way to do things, it looks like it solves the problem. No more private data in img src. I have never anything alike with video formats, but as for images it seems quite easy.
You can read more about curl here: http://php.net/manual/en/book.curl.php
Another solution using above mentioned passthru:
<?php
Header("content-type:image/jpeg");
passthru("pic.jpg?login=11&pass=22");
?>
However, it is still only for images, because of the header... If you find anything that works with videos/video streaming, please, let me know!!
I've added shibboleth authentication (ShibAuthPlugin 1.2.3) to a MediaWiki site (mw 1.17). That turned out to be pretty straightforward, but I now have another related problem: I have two login links. I want only the Shibboleth login link to be available.
I can alter the CSS to hide the unwanted link, but that only makes it invisible. I want to disable it. The documented ways of disabling login links disables all login links. I'm new to MediaWiki and would expect to be able to make this change in the configuration and not have to hack the code to get what I want.
Perhaps someone familiar with MediaWiki can tell me if such a configuration setting exists, or if code modification is the best practice for solving this kind of problem.
Thank you in advance,
Peter
To just remove the login link, I suspect this FAQ entry may help; it seems to be more or less how the Shibboleth auth extension does its own login/logout link mangling. For convenience, let me copy the code here:
$wgHooks['PersonalUrls'][] = 'lfRemoveLoginLink';
function lfRemoveLoginLink( &$personal_urls, $title ) {
unset( $personal_urls['login'] );
unset( $personal_urls['anonlogin'] );
unset( $personal_urls['createaccount'] );
return true;
}
If you want to completely disable local login/logout, even if the user deliberately goes to Special:UserLogin, this solution might do the trick. Again, let me copy the relevant part of the code below:
function LessSpecialPages(&$list) {
unset( $list['Userlogout'] );
unset( $list['Userlogin'] );
return true;
}
$wgHooks['SpecialPage_initList'][]='LessSpecialPages';