-
Notifications
You must be signed in to change notification settings - Fork 114
Conversation
Also added example config file in docker folder.
analysis/mod.sankeymaker.php
Outdated
@@ -129,6 +129,10 @@ | |||
|
|||
|
|||
<?php | |||
$dataset = htmlentities($dataset); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line is necessary and baffled me until I found this bit of code in analysis.common.functions.php. It looks like this will always pick up query parameters for analysis. I think we could apply htmlentities or htmlspecialchars to all the $_GET calls there.
The validate_all_variables function ought to be catching anything that could go into the database, but it does still allow someone to pull @stijn-uva's little ?dataset="><script src="data:text/javascript;charset=utf-8;base64,YWxlcnQoJ2hhY2tlZC4uLiBieSB0aGUgaWxsdW1pbmF0aScp"type="text/javascript" language="javascript"></script><input name="fake" type="hidden" value="
trick.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested Docker deployment on Mac and Linux servers (tools). Does not work on Windows due to TokuDB.
Also tested Linux 20.04 direct installation and noted no issues with core functions (tweet collection, some analysis).
Updated echo's missing html special characters.
This is a simple fix that installs cron to the docker image which allows the controller.php to run. I also added a blank config that a user can just add their API credentials to. It should resolve issue 433 and I believe would have helped with issue 417.
Docker caveat: Data persists within the docker image, but if that image is rebuilt, it will be lost. You can thus stop and start the container with no issues and can run and update software within the container. But if we were to make any changes to the docker image that would require it to be rebuilt, collected data would not persist.
The solution seems to be to use docker's volumes. I attempted a few ways to store the database in a volume, but could not get it to reliable persist after a rebuild. The best solution would likely be to have the database in it's own container, but that would require a bit more knowledge on how the rest of the application communicates with the database. Perhaps we can sit down and go through that at some point in the future.