davidrrm wrote:
Yep, extcal_latest_func.php is missing the defined("_VALID_MOS") or die line, but it's saved by having only functions in it, so if it were accessed directly no code would run. I think every file should have that direct access check, just to make it easier for us to audit components, so it should be added when the module is updated. I also dislike that the file is included in mod_extcalendar_latest.php prior to the defined("_VALID_MOS") line. Again, this does not appear to be a security problem now, but the code might be changed later in a way that would cause a problem.
Thanks for pointing this out. That file's hidden pretty well there.
Well, back then there weren't many open discussion about component security and it was a patch never really made to go public
dpk wrote:
Time for a Reality Check: extCal is pretty but buggy and lacking in some major features that would make it really useful. Security fixes for it are nice, but who wants a secure, feature poor, buggy component?
I'm going to check out Events beta 1.3
...
Reality check for who? Most people here use Extcal cause it has features they want - not cause there is no alternative. We all know that this project is not David's original work, not was it Scott and other David, nor Matt Friedman who made the fist mambo component.
Everybody that doesn't think Extcal meets their needs - please go and use something else! But please go quietly; otherwise stop complaining and start helping to improve the component.
People that where interested know that this version isn't even based on tha last beta of Extcal (which is alrady over a year old.
The Author is still working on it (very slowly though) and will hopefully publish a new beta some time soon.
Extcal has been adandonware on the Joomla/Mambo side for along time. Maybe there are some good people ganging up as we speak to change that. IMHO the only way forward for a Joomla component is to get in contact with the original author and work off the latest code base and J10e (Joomla!ise) it.
Edit: Apologies for OT post and polluting the thread.
Otto