Is OMP 3.1.0.0 vulnerable to issue 4024?

jmvezic · October 1, 2018, 12:59pm

Hi,

I’m wondering if OMP version 3.1.0.0 is vulnerable to issue 4024 described here: https://github.com/pkp/pkp-lib/issues/4024 since all files listed in the commit that fixes it (Merge pull request #4028 from asmecher/i4024-fix · pkp/pkp-lib@5b7e9b9 · GitHub) don’t even exist in 3.1.0.0.

Do I need to update to the newest version of OMP to fix this or can I just ignore it? I already fixed the JSON vulnerability as well as the search XSS vulnerability via patches/diffs.

asmecher · October 1, 2018, 4:02pm

Hi @jmvezic,

Yes, OMP 3.1.0-0 is affected by issue 4024. The latest release of OMP corrects it; I’d suggest upgrading to that. (It’s less work than manually patching everything, and less error-prone.)

Regards,
Alec Smecher
Public Knowledge Project Team

jmvezic · October 1, 2018, 7:22pm

Hi, @asmecher,

I’ll do that, just an FYI: git complains a lot about the file

/lib/pkp/js/lib/pnotify/includes/bootstrap3/css/Pinkie Pie.json

when doing a diff, probably because it contains a space. It might be a good idea remove the space in the future.

Regards,
Jakov.

asmecher · October 1, 2018, 7:34pm

Hi @jmvezic,

That’s 3rd-party code, part of the “PNotify” library that we use for pop-up notifications. Git should be able to handle filenames containing spaces – can you describe what you’re seeing in more detail?

Regards,
Alec Smecher
Public Knowledge Project Team

jmvezic · October 1, 2018, 7:50pm

@asmecher

Since I’m not doing submodules (and I’ve got some modifications of my own in the code), I’ve gotta do diff patches for each new version. They never like that specific file so I gotta manually put it in quotes in the diff file. I guess it thinks Pie.json is the file to patch?

I suppose it’s only my specific problem then. Thanks for the feedback on the issue!

asmecher · October 1, 2018, 7:53pm

Hi @jmvezic,

For OJS 3.2 and later I’ve tweaked the dependency and updated the library, and it looks like that file won’t be necessary any more. So once you upgrade to 3.2 (when it’s released) you should be able to dispense with the work-around.

Regards,
Alec Smecher
Public Knowledge Project Team

jmvezic · October 1, 2018, 8:49pm

Hi @asmecher

thanks for the update on the dependancy,

I have another problem with the upgrade (3.1.0.0 to 3.1.1.4) now, I’m not sure if I should make a seperate post. When doing the

php tools/upgrade.php upgrade

I get:

PHP Fatal error:  Class PKPNlm30MetadataPlugin contains 2 abstract methods and must therefore be declared abstract or implement the remaining methods (MetadataPlugin::supportsFormat, MetadataPlugin::getSchemaObject) in /home/jakov/morepress/books/lib/pkp/plugins/metadata/nlm30/PKPNlm30MetadataPlugin.inc.php on line 54

The thing is… as far as I can see in that PHP file, there’s no abstract functions, so I’ve no idea why PHP is throwing that error.

asmecher · October 1, 2018, 9:14pm

Hi @jmvezic,

Can you post that as a new topic? It’s not related to the subject here. That’ll help keep the forum organized.

Regards,
Alec Smecher
Public Knowledge Project Team