Serendipity Forums

Garvin & Jude you guys rock and have helped a ton so far, so im hoping you guys can help again, one day when I have some experience behind me Ill contribute as well.

Ok so I was trying to use the static page plugin, now maybe Im looking in the wrong place but is there no documentation for any of the plugins? Im not talking just the code either, im talking user documentation?

Near every plugin I look at the code isnt documented besides listing the author, now I can read most of it, stuff I havnt seen before I can google. But I cant learn to use a plugin if there is no documentation to use it.

For example Im trying to use the Static Page plugin, I go to admin, click the link create a new page and there are a slew of fields to enter, now they do have descriptions but it took 30 mins of searching and reading to figure out how most of it works, and I still dont have it displaying the text!

Sorry thats my rant.

I dont know how you guys are doing this and you may be using the static page plugin, and I was going to use the Static Page plugin, but to my knowledge this plugin basically creates the entry and stores it in the DB, I'm not personally sure thats a great thing and it only accepts html so no php, js, flash etc -- Correct me if im wrong.

Would it not be better to just check for the passed parameter and then include a file instead of displaying the blog, this would free up the SQL calls for the information?

Using an About page as an example I would simply write a about.php file with whatever code I like, then using a combination of config.inc.php and modding code in index.tpl I could check for the passed parameter using [GET] if it was equal to About then I would include about.php instead of rendering the blog interface?

Im looking to embed a gallery soon thats why im starting small, but I have read all the posts on embedding gallery2, plogger, coppermine etc none of it seems simplistic and none of the threads finish with a complete solution so im pulling my hair out lol.

Am I on the right path if I wanted to embed stuff into my page?
One problem im sure im going to face is the paths generated by gallery apps, as gallery apps rely on file structure not includes as my soln is, so seeing as my s9y is installed in root/serendipity, and for example plogger was installed in root/plogger it would be difficult to get the links right or embed it. I have a headache from this now. Id appreciate your input, if I have to create a plugin, or use a plugin I dont mind just looking for a good solution.

Thanks!

Yes, the documentation is S9Y's biggest weakness, so far as we're concerned. If the plugin isn't simple enough to understand from its configuration interface, the only places to get documentation are the Serendipity homepage and this forum.

Using an About page as an example I would simply write a about.php file with whatever code I like, then using a combination of config.inc.php and modding code in index.tpl I could check for the passed parameter using [GET] if it was equal to About then I would include about.php instead of rendering the blog interface?

S9Y aims to be fast, small, and secure. That's why the functionality is so sparse with a default install: it's faster than the blazes, small as it can be, and locked up tight, with only the features that the default user requires (online diary). Allowing users to run an arbitrary .php file from URL is a security hole that would be difficult to plug.

If you want to execute code external to Serendipity, we provide the External PHP Application and WrapURL plugins. It should be as simple as entering the path to the PHP or the URL to the webpage you want to wrap.

The gallery plugins should work with the paths you specified. The biggest problem with integration is usually getting things to "look right". This is a headache because the pieces we try to integrate usually have their own themes, so you need to either accomodate their theme into your Serendipity theme, or get an API to include the pieces without a theme. Either way is non-trivial. That's why one of our users wrote his own media gallery plugin. It's working, but it's still under development.

Azel was going to write a Gallery2 tutorial. It seemed the big problem was the version of Gallery2 obtained, so that with RC2A or above, the plugin worked without error.

Thanks Jude, your responses always seem to help.

So your saying that modifying the index.tpl to listen for a passed parameter and include an external php file is unsafe? Enlighten me please as I dont know much about security and learning is my #1 priority lol.

As I am learning stuff about s9y I am posting it in my blog and everything I do I document. Once I figure out how to get a domain name and have my linux box use it ill put it live, atm its just using my ip to get to it, and I dont wana distribute that as thats a security vulnerability I think.

So does just having a plugin installed automatically bloat s9y or only if its used. I guess it does as they are all constantly listening for the events, so best to remove anything which is not immediatly important. In that case plug-ins like currently are cool but are best off in a static page I would think, but the static page plugin uses SQL which is more slow-down lol.

Ok so I was reading some of the plugins you mentioned. The external-php event is basically what I was talking about with the include, except in a plugin. Though there are warnings of security implications using this. But seems as long as no one can crack my s9y password intruders cant inject bad php apps onto my server. Which raises another Q,

S9Y admin page is not secure at all from what I can see, all information is passed over clear text and can be sniffed, is there any current standard in securing s9y's admin interface?

The wrap url plugin just displays the external file in a iframe so it *looks* integrated. but isnt?

Sorry for all the questions.

Thanks Jude!

Glad I can be of help!

The security problem I see is passing the parameter: someone could write his own PHP, save it on your server -- perhaps because it's a shared server, and certain directories are world-writeable -- and pass ../templates_c/evil.php to get it to run. Or maybe even pass http://evilserver.com/evil.php and get your server to run his PHP.

Of course, we can protect against this, too. But then we're trying to outsmart someone with nasty intent and motive. It gets so difficult we wouldn't have time for anything else.

The problem with the wrapper plugin is the same, but it uses configuration data that's stored in the database. Since it's not passing the parameter, it can't be redirected. The only real security issue I see there is the possibility of someone overwriting your script. And of course, s9y then picks up all the security problems of the script, too.

Distributing your IP address isn't any worse than distributing your domain name. To use your server, eventually the name needs to be translated to an IP address anyway. In fact, check out dyndns.afraid.org if you're interested in getting a free, dynamic domain name.

It's true that having plugins installed is a performance hit. The big hit is on startup: s9y has to load every plugin before it can call its first event hook. After that, it's not so bad. But consider that we have to start a new s9y for each page we load -- including the CSS stylesheet. To get lean and mean, remove as many plugins as you can.

I hadn't considered the admin page security yet. It's true that it could be sniffed, as far as I can tell. Although that can be casual, it usually requires someone who's out to get you. I wonder if we MD5 encode things? I'll have to look into it.

And yes, the wrap URL plugin isn't *really* integrated. It just looks that way. The External PHP Application plugin is a lot better at that, but you'll have to either code the PHP to use Serendipity's styles, or modify your style.css.