Karma's Nucleus DevBlog

I was pointed to this reported "security issue" today, and wanted to say a quick word about this.

The report is invalid. None of the specified URLs are exploitable.

1. action.php: has include('./config.php'); as first line. config.php defines $DIR_LIBS.
2. media.php: same thing: included config.php first, via a fixed path.
3. xmlrpc/server.php: again, the same: includes config.php via a fixed path.
4. xmlrpc/api_metaweblog.inc.php: this one is just funny, since this file doesn't execute any code when called (it's included from elsewhere). The only thing it does is composing an array and defining a number of functions.

Including config.php as soon as possible, via a safe path, is crucial to Nucleus security: including config.php defines crucial variables (like DIR_LIBS) and bootstraps Nucleus (including security checks: that's why you'll receive a "Sorry, an error occurred" error message when trying these URLs)

The previous security issue, which led to the release of Nucleus v3.23, was possible because PLUGINADMIN.php has no reliable way of knowing where it is executing, and therefor cannot include config.php in a safe way. Instead, this file is included from plugin admin areas, which include the config file first. Should have called the file PLUGINADMIN.inc, actually.

Anyway, there's no need to worry about this report. You're only vulnarable to it if you've got an empty config.php file, and in that case, your site won't function anyway. As far as I know, Nucleus v3.23 is safe to use.

Time to highlight another one of the new things in Nucleus v3.2: the new FormExtra and ValidateForm events. I was documenting them in the Plugin API documentation earlier today, so they are fresh in my memory.

In Nucleus 3.2, there are some changes to how comment and member mail forms work. To the end user, this is visible in two ways:

1. When an error occurs, the error will appear together with the comment form, rather than on a separate page.
2. When an error occurs, the comment form is pre-filled with what the user had originally entered. This solves the problem of finding out that everything you wrote has gone after hitting the back button on an error page.

This article describes how all of this works, what has changed and how you can style the error message using the error class.

This article is a quick introduction to how the Nucleus XML-RPC server works. Such an XML-RPC server is basically a PHP script that accepts an XML request, performs some actions and then answers in XML as well.

(Since a draft version of this article has been on my desktop for over a month, I decided to just dump it here.)

This article explains how Nucleus handles logins/logouts, and how it checks if the current visitor is a logged in site member.

Here's a list of things about which I could write something in the "Inside Nucleus" series. Feel free to make additions. Also, tell me which of these topics are most important for you. With a little luck, writing about those topics will get a higher priority :)

In this post, I'll try to explain what the showlist function in ADMIN.php is for, and how it works. Next to that, I'll also explain what the ENCAPSULATE, BATCH and NAVLIST are for. I'm not exactly sure if I did a good job explaining this in a clear way, but at least I tried :)

How batch operations work, is a topic for a future article.

In this post, I'll try to explain how URLs (links to items/archives/...) are built in Nucleus. It turned out to be quite a lengthy article. I'll start in a fancy URL free world and will end up explaining how fancy URLs work and highlighting some problems.

This post tries to explain how the parsing of skins/templates works in Nucleus.

Let's start with a peculiarty. Everyone is using skinvars as <%skinvar%>, but did you know that these will also work: <%skinvar<%, %>skinvar<% and %>skinvar%>? They do. This is because of the way the parser works.