Recherche avancée

Médias (1)

Mot : - Tags -/biographie

Autres articles (73)

  • Publier sur MédiaSpip

    13 juin 2013

    Puis-je poster des contenus à partir d’une tablette Ipad ?
    Oui, si votre Médiaspip installé est à la version 0.2 ou supérieure. Contacter au besoin l’administrateur de votre MédiaSpip pour le savoir

  • Les autorisations surchargées par les plugins

    27 avril 2010, par

    Mediaspip core
    autoriser_auteur_modifier() afin que les visiteurs soient capables de modifier leurs informations sur la page d’auteurs

  • L’agrémenter visuellement

    10 avril 2011

    MediaSPIP est basé sur un système de thèmes et de squelettes. Les squelettes définissent le placement des informations dans la page, définissant un usage spécifique de la plateforme, et les thèmes l’habillage graphique général.
    Chacun peut proposer un nouveau thème graphique ou un squelette et le mettre à disposition de la communauté.

Sur d’autres sites (8879)

  • avformat/hls : Check local file extensions

    3 juin 2017, par Michael Niedermayer
    avformat/hls : Check local file extensions

    This reduces the attack surface of local file-system
    
information leaking.
    

    It prevents the existing exploit leading to an information leak. As
    
well as similar hypothetical attacks.
    

    Leaks of information from files and symlinks ending in common multimedia extensions
    
are still possible. But files with sensitive information like private keys and passwords
    
generally do not use common multimedia filename extensions.
    
It does not stop leaks via remote addresses in the LAN.
    

    The existing exploit depends on a specific decoder as well.
    
It does appear though that the exploit should be possible with any decoder.
    
The problem is that as long as sensitive information gets into the decoder,
    
the output of the decoder becomes sensitive as well.
    
The only obvious solution is to prevent access to sensitive information. Or to
    
disable hls or possibly some of its feature. More complex solutions like
    
checking the path to limit access to only subdirectories of the hls path may
    
work as an alternative. But such solutions are fragile and tricky to implement
    
portably and would not stop every possible attack nor would they work with all
    
valid hls files.
    

    Developers have expressed their dislike / objected to disabling hls by default as well
    
as disabling hls with local files. There also where objections against restricting
    
remote url file extensions. This here is a less robust but also lower
    
inconvenience solution.
    
It can be applied stand alone or together with other solutions.
    
limiting the check to local files was suggested by nevcairiel
    

    This recommits the security fix without the author name joke which was
    
originally requested by Nicolas.
    

    Found-by : Emil Lerner and Pavel Cheremushkin
    
Reported-by : Thierry Foucu <tfoucu@google.com>
    

    Signed-off-by : Michael Niedermayer <michael@niedermayer.cc>
    • [DH] libavformat/hls.c

  • How to verify signatures for Piwik release packages

    19 novembre 2014, par Piwik Core Team — Security

    We are proud to announce that Piwik project now cryptographically signs the Piwik releases using PGP following requests from several community members. In this post we will explain how you can verify the signatures of the Piwik release you downloaded, with instructions for Windows, Mac OS X and Linux.

    What is a signature and why should I check it ?

    How do you know that the Piwik platform you have is really the one we made ? Some software sites list sha1 hashes alongside the software on their website, so users can verify that they downloaded the file without any errors. These “checksums” help you answer the question “Did I download this file correctly from whoever sent it to me ?” They do a good job at making sure you didn’t have any random errors in your download, but they don’t help you figure out whether you were downloading it from a compromised server. The better question to answer is : “Is this file that I just downloaded the file that Piwik intended me to get ?”. Over the years several Piwik users have requested that we start signing our releases.

    Where do I get the signatures and the keys that made them ?

    Each file on our release server builds.piwik.org is accompanied by a file with the same name as the package and the extension .asc. These .asc files are GPG signatures. They allow you to verify the file you’ve downloaded is exactly the one that we intended you to get. For example, piwik-2.9.0.zip is accompanied by piwik-2.9.0.zip.asc<code>.

    Currently Matthieu Aubry is the release manager and signs the Piwik releases. His signature can be found here : builds.piwik.org/signature.asc

    How to verify signatures on Windows

    You need to have GnuPG installed before you can verify signatures. Download it from http://gpg4win.org/download.html.

    Once it’s installed, use GnuPG to import the key that signed your package. Since GnuPG for Windows is a command-line tool, you will need to use cmd.exe. Unless you edit your PATH environment variable, you will need to tell Windows the full path to the GnuPG program. If you installed GnuPG with the default values, the path should be something like this : C :\Program Files\Gnu\GnuPg\gpg.exe.

    Import Piwik Release manager Matthieu’s key (0x416F061063FEE659) by starting cmd.exe and typing :

    "C :\Program Files\Gnu\GnuPg\gpg.exe" —keyserver keys.gnupg.net —recv-keys 814E346FA01A20DBB04B6807B5DBD5925590A237

    After importing the key, you can verify that the fingerprint is correct :

    "C :\Program Files\Gnu\GnuPg\gpg.exe" —fingerprint 814E346FA01A20DBB04B6807B5DBD5925590A237

    You should see :

    pub   4096R/5590A237 2013-07-24
      Key fingerprint = 814E 346F A01A 20DB B04B  6807 B5DB D592 5590 A237
uid                  Matthieu Aubry <matt@piwik.org>
uid                  Matthieu Aubry <matthieu.aubry@gmail.com>
uid                  Matthieu Aubry <matt@piwik.pro>
sub   4096R/43F0D330 2013-07-24

    To verify the signature of the package you downloaded, you will need to download the ".asc" file as well. Assuming you downloaded the package and its signature to your Desktop, run :

    "C :\Program Files\Gnu\GnuPg\gpg.exe" —verify C :\Users\Alice\Desktop\piwik-2.9.0.zip.asc C :\Users\Alice\Desktop\piwik-2.9.0.zip

    The output should say "Good signature" :

    gpg : Signature made Thu 13 Nov 2014 17:42:18 NZDT using RSA key ID 5590A237
gpg : Good signature from "Matthieu Aubry <matt@piwik.org>"
gpg :                 aka "Matthieu Aubry <matthieu.aubry@gmail.com>"
gpg :                 aka "Matthieu Aubry <matt@piwik.pro>"

    Notice that there may be a warning in case you haven’t assigned a trust index to this person. This means that GnuPG verified that the key made that signature, but it’s up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.

    Mac OS X and Linux

    On Linux GnuPG is usually installed by default. On Mac OS X, you need to have GnuPG installed before you can verify signatures. You can install it from http://www.gpgtools.org/.

    Once it’s installed, use GnuPG to import the key that signed your package. Matthieu Aubry signs the Piwik releases. Import his key (814E346FA01A20DBB04B6807B5DBD5925590A237) by starting the terminal (under "Applications") and typing :

    gpg —keyserver keys.gnupg.net —recv-keys 814E346FA01A20DBB04B6807B5DBD5925590A237

    After importing the key, you can verify that the fingerprint is correct :

    gpg —fingerprint 814E346FA01A20DBB04B6807B5DBD5925590A237

    You should see :

    pub   4096R/5590A237 2013-07-24
      Key fingerprint = 814E 346F A01A 20DB B04B  6807 B5DB D592 5590 A237
uid                  Matthieu Aubry <matt@piwik.org>
uid                  Matthieu Aubry <matthieu.aubry@gmail.com>
uid                  Matthieu Aubry <matt@piwik.pro>
sub   4096R/43F0D330 2013-07-24

    To verify the signature of the package you downloaded, you will need to download the ".asc" file as well. Assuming you downloaded the package and its signature to your Desktop, run :

    gpg —verify /Users/Alice/piwik-2.9.0.zip.asc*,

    The output should say "Good signature" :

    gpg : Signature made Thu 13 Nov 2014 17:42:18 NZDT using RSA key ID 5590A237
gpg : Good signature from "Matthieu Aubry <matt@piwik.org>"
gpg :                 aka "Matthieu Aubry <matthieu.aubry@gmail.com>"
gpg :                 aka "Matthieu Aubry <matt@piwik.pro>"

    Notice that there may be a warning in case you haven’t assigned a trust index to this person. This means that GnuPG verified that the key made that signature, but it’s up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.

    That’s it ! In this article you have learnt how you can verify that the Piwik package you have downloaded on your computer was the same as the one Piwik team has officially created. We hope this helps you use Piwik with more security.

    Source : this article was copied and adapted from the great Tor Browser project website page How to verify signatures for Tor packages

  • How to verify signatures for Piwik release packages

    19 novembre 2014, par Piwik Core Team — Security

    We are proud to announce that Piwik project now cryptographically signs the Piwik releases using PGP following requests from several community members. In this post we will explain how you can verify the signatures of the Piwik release you downloaded, with instructions for Windows, Mac OS X and Linux.

    What is a signature and why should I check it ?

    How do you know that the Piwik platform you have is really the one we made ? Some software sites list sha1 hashes alongside the software on their website, so users can verify that they downloaded the file without any errors. These “checksums” help you answer the question “Did I download this file correctly from whoever sent it to me ?” They do a good job at making sure you didn’t have any random errors in your download, but they don’t help you figure out whether you were downloading it from a compromised server. The better question to answer is : “Is this file that I just downloaded the file that Piwik intended me to get ?”. Over the years several Piwik users have requested that we start signing our releases.

    Where do I get the signatures and the keys that made them ?

    Each file on our release server builds.piwik.org is accompanied by a file with the same name as the package and the extension .asc. These .asc files are GPG signatures. They allow you to verify the file you’ve downloaded is exactly the one that we intended you to get. For example, piwik-2.9.0.zip is accompanied by piwik-2.9.0.zip.asc<code>.

    Currently Matthieu Aubry is the release manager and signs the Piwik releases. His signature can be found here : builds.piwik.org/signature.asc

    How to verify signatures on Windows

    You need to have GnuPG installed before you can verify signatures. Download it from http://gpg4win.org/download.html.

    Once it’s installed, use GnuPG to import the key that signed your package. Since GnuPG for Windows is a command-line tool, you will need to use cmd.exe. Unless you edit your PATH environment variable, you will need to tell Windows the full path to the GnuPG program. If you installed GnuPG with the default values, the path should be something like this : C :\Program Files\Gnu\GnuPg\gpg.exe.

    Import Piwik Release manager Matthieu’s key (0x416F061063FEE659) by starting cmd.exe and typing :

    "C :\Program Files\Gnu\GnuPg\gpg.exe" —keyserver keys.gnupg.net —recv-keys 814E346FA01A20DBB04B6807B5DBD5925590A237

    After importing the key, you can verify that the fingerprint is correct :

    "C :\Program Files\Gnu\GnuPg\gpg.exe" —fingerprint 814E346FA01A20DBB04B6807B5DBD5925590A237

    You should see :

    pub   4096R/5590A237 2013-07-24
      Key fingerprint = 814E 346F A01A 20DB B04B  6807 B5DB D592 5590 A237
uid                  Matthieu Aubry <matt@piwik.org>
uid                  Matthieu Aubry <matthieu.aubry@gmail.com>
uid                  Matthieu Aubry <matt@piwik.pro>
sub   4096R/43F0D330 2013-07-24

    To verify the signature of the package you downloaded, you will need to download the ".asc" file as well. Assuming you downloaded the package and its signature to your Desktop, run :

    "C :\Program Files\Gnu\GnuPg\gpg.exe" —verify C :\Users\Alice\Desktop\piwik-2.9.0.zip.asc C :\Users\Alice\Desktop\piwik-2.9.0.zip

    The output should say "Good signature" :

    gpg : Signature made Thu 13 Nov 2014 17:42:18 NZDT using RSA key ID 5590A237
gpg : Good signature from "Matthieu Aubry <matt@piwik.org>"
gpg :                 aka "Matthieu Aubry <matthieu.aubry@gmail.com>"
gpg :                 aka "Matthieu Aubry <matt@piwik.pro>"

    Notice that there may be a warning in case you haven’t assigned a trust index to this person. This means that GnuPG verified that the key made that signature, but it’s up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.

    Mac OS X and Linux

    On Linux GnuPG is usually installed by default. On Mac OS X, you need to have GnuPG installed before you can verify signatures. You can install it from http://www.gpgtools.org/.

    Once it’s installed, use GnuPG to import the key that signed your package. Matthieu Aubry signs the Piwik releases. Import his key (814E346FA01A20DBB04B6807B5DBD5925590A237) by starting the terminal (under "Applications") and typing :

    gpg —keyserver keys.gnupg.net —recv-keys 814E346FA01A20DBB04B6807B5DBD5925590A237

    After importing the key, you can verify that the fingerprint is correct :

    gpg —fingerprint 814E346FA01A20DBB04B6807B5DBD5925590A237

    You should see :

    pub   4096R/5590A237 2013-07-24
      Key fingerprint = 814E 346F A01A 20DB B04B  6807 B5DB D592 5590 A237
uid                  Matthieu Aubry <matt@piwik.org>
uid                  Matthieu Aubry <matthieu.aubry@gmail.com>
uid                  Matthieu Aubry <matt@piwik.pro>
sub   4096R/43F0D330 2013-07-24

    To verify the signature of the package you downloaded, you will need to download the ".asc" file as well. Assuming you downloaded the package and its signature to your Desktop, run :

    gpg —verify /Users/Alice/piwik-2.9.0.zip.asc*,

    The output should say "Good signature" :

    gpg : Signature made Thu 13 Nov 2014 17:42:18 NZDT using RSA key ID 5590A237
gpg : Good signature from "Matthieu Aubry <matt@piwik.org>"
gpg :                 aka "Matthieu Aubry <matthieu.aubry@gmail.com>"
gpg :                 aka "Matthieu Aubry <matt@piwik.pro>"

    Notice that there may be a warning in case you haven’t assigned a trust index to this person. This means that GnuPG verified that the key made that signature, but it’s up to you to decide if that key really belongs to the developer. The best method is to meet the developer in person and exchange key fingerprints.

    That’s it ! In this article you have learnt how you can verify that the Piwik package you have downloaded on your computer was the same as the one Piwik team has officially created. We hope this helps you use Piwik with more security.

    Source : this article was copied and adapted from the great Tor Browser project website page How to verify signatures for Tor packages

Navigation