Update footer

[nicolasdanelon]

What if we add a changelog file like this one here in the repo?

And a new link in the footer with the subversion date or number like this:

Shaarli 0.0.41 beta - The personal, minimalist, super-fast, no-database delicious clone. By sebsauvage.net. Theme by idleman.fr.
Comminuty version 0.1.6

And maybe we can create a history page in the wiki to tell to the people why this fork :)

[nodiscc]

The next footer should be:

Shaarli (community) -- The personal, minimalist, super-fast, no-database delicious clone. By sebsauvage and contributors

(We should not display the version number to visitors, bur rather only display it in ?do=tools.)

Yes we should definitely add a word about "why this fork" in https://github.com/shaarli/Shaarli#about. The changelog can be found by visiting the repo's commit history for people who are interested.

[nicolasdanelon]

what do you think @nodiscc ?

[nodiscc]

@nicolasdanelon I think it's a bug and should be fixed before releasing 0.9beta

[nicolasdanelon]

@nodiscc I got a problem with this... If a ''cracker'' see my shaarli and he know that we got the code here in GitHub he can get the version of shaarli accesing the URL http://host.com/shaarli_version.txt
we need to add a .htaccess file to restrict this access!

[nicolasdanelon]

cat .htaccess
RewriteEngine on
RewriteRule .txt$ - [R=404]

[e2jk]

@nicolasdanelon I do agree that we shouldn't disclose the version ID (as explained by @nodiscc in his the second post here), but I'm somewhat confused by your message indicating you have a problem with this, since in the very first post you even suggesting putting the "subversion date or number" in the footer ;)

Anyway, this is somewhat similar to sebsauvage#214 and #81 although it doesn't involve the version number in the HTML, but rather that there is a file at a fixed location that contains the Shaarli version. I have opened a new issue #122 to track that separately.

[nicolasdanelon]

In the beginning I want to show the community version in the footer BUT now I see the power of that... And I don't "want" that feature any more. Because of that I think that we need to add a htaccess file with that restriction. @e2jk @nodiscc :)

[nodiscc]

@nicolasdanelon htaccess is apache specific. See Pull request #123.

Edit: anyway preventing version disclosures is pointless in the end, because proper vulnerability scanners like Metasploit provide modules to detect version based on heuristics, small page rendering differences, etc. I've put up #123 but this is likely the last time I deal with version disclosures. Heck, even a simple nmap scan can tell your OS/apache/other services version even when you properly disable headers. Security through obscurity blah blah.

Edit2: Have a look at wpscan which is able to tell exact version for both core and plugins of the world's most used blog CMS. Resistance. Is. Futile.

[dper]

Security through obscurity is not a great strategy. Hiding the version number won't stop attackers.

[nicolasdanelon]

@nodiscc I like the pull #123 but the current version is using .htaccess in cache, data, pagecache, tmp.... So.... ? index.php should deliver everything like in Laravel or WordPress does?
@pikzen wants to add symfony components to Shaarli (#108) .. Maybe for a refactor is finally the time :P

[nodiscc]

files in data/ are obfuscated in the same way I did in #123 (.php file extension, datastore contents are commented out). Files in cache/ and pagecache/ don't leak information unless you are able to enumerate the files in them. .htaccess files are just a convenience (because apache2 use is widespread and this is easy to add). Version disclosures are non-issues as said above. Feel free to refactor Shaarli if you have some time.

[nicolasdanelon]

@nodiscc @e2jk this is the last comment here. I promise. if we obscure the version N° in the footer what about this?

thanks! :) good work, I will use community version in my server since tomorrow

[nodiscc]

@nicolasdanelon Well spotted! I'll remove that, not because it discloses the current version, but because it has no purpose. It's there to prevent browser from using old, cached stylesheets, but anyway we use the no-cache HTTP header that prevents caching (even if this is bad for performance, we re-download the CSS on every page request).

[nicolasdanelon]

@nodiscc what about put date("Ym") so we can have a decent cache time ?
Edit : forget it... I'll try to force cache with my server.

[e2jk]

Let's discuss this specific issue further in #134.