Theme uploading
From StatusNet
Contents |
What do we want to accomplish
- site administrators should be able to upload a theme to their StatusNet site through the web interface
- site administrators should be able to delete a theme they've previously uploaded
What do we need to keep in mind
- name validation?
- legit characters
- conflicts with default themes
- I think it would be fair to limit things to one custom theme per site. --Evan 15:39, 21 April 2010 (UTC)
- .zip files could contain malicious files; must carefully validate, especially if we're saving things to filesystem to be served out of web
- are there other security risks to watch out for?
- CSS can contain executable javascript which will run in site context. Site admins can add HTML in site notice, but it seems to strip JS and styles. Might need to implement validation / rewriting on upload
- CSS can contain JavaScript? I didn't know that. --Evan 15:33, 21 April 2010 (UTC)
- or is it ok for admins to do this?
- CSS can contain executable javascript which will run in site context. Site admins can add HTML in site notice, but it seems to strip JS and styles. Might need to implement validation / rewriting on upload
What needs to happen to do it
- Extend Theme class to include per-site managed theme directories as well as the core and local dirs in the source
- Add upload form and delete option to Design admin panel
- Implement safety checks for uploader
- carefully validate what files are extracted from the .zip file (allow only css and images)
- [maybe] security scan on uploaded CSS?
Not doing these now
- gallery browser for themes, with screenshots?
- 'real' preview of theme before you save?
- on-web theme editor?
Theme archive structure
example (eg as Theme development, HOWTO Make a Theme notes)
- fooey.zip
- css/
- display.css
- ie.css
- images/
- [may have various subdirectories]
- [*.gif *.png files at least]
- default-avatar-mini.png
- default-avatar-profile.png
- default-avatar-stream.png
- logo.png
- mobilelogo.png
- css/
Handling an upload
- via file upload, our .zip would end up in a temp dir, accessible via $_FILES
- allow renaming theme if the default filename was a poor match?
- create subdir in the site's uploadable themes dir
- open the .zip using php's zip module and extract files into that dir
- only extract legitimate files
- .css, .gif, .png, .jpeg, .jpg ?
- disallow hidden files, magic dirs?
- only extract legitimate files
Comparison: wordpress.com
- does have a big pre-made theme gallery
- doesn't allow theme uploads
- Very different; WordPress themes include server-side PHP code. It'd be nuts to allow this. --Evan 15:37, 21 April 2010 (UTC)
- paid option for customized CSS to apply on top of those themes ($14.97/year)
- ...which is what we're doing. --Evan 15:37, 21 April 2010 (UTC)
Alternate plan
- stick a textarea on Design admin panel for custom CSS
- possibly do some validation on that to trim JS
- apply the customized CSS on top of whatever theme was seleted
- perhaps do some versioning etc
- Nice enough plan, but I'd rather have real, full-scale themes. --Evan 15:38, 21 April 2010 (UTC)
