To clarify. When it comes to PHP code, everything is absolutely clear: Never allow Drupal to write its own code. Never. Ever. We really discussed this often enough. There might be possiblities by using an FTP layer, though. There's an issue for that somewhere. JavaScript is different, though. For someone to exploit a Drupal site by saving a modified, malicious JavaScript file at a path where it gets included in every request, he needs a major security hole in the site (one that allows him to save random files at random paths). Given that security hole, he most likely has already other ways to add random, malicious JavaScript to every page request (He could e.g. add a PHP block with no title and text to each page which then includes the malicious JavaScript. He could also add the JavaScript to the aggregated CSS file, which also lives in the writeable file directory. JavaScript in CSS files gets executed by most modern browsers.). So, allowing Drupal to write its JavaScript files (which we already do in Drupal 6 with the JavaScript aggregator) is not a security risk. If we would count this as a security risk, we would have to get rid of both the CSS and the JS aggregator. regards, Frando Frando wrote:
Derek Wright-2 wrote:
To be extra clear, I should state: letting httpd or php write to the drupal sources *AT ALL* is a risk. Even if the only "legitimate" way that is coded into the system requires a special privilege, and access to admin/jquery/update, so long as the operating system *ever* allows httpd or php to write to those directories, there's a potential vulnerability. Any minor bug then could become a critical exploit. So, as a precaution, the operating system itself (not Drupal's code) should enforce that Drupal can never write to the files that Drupal is trying to execute (either php source or .js that's sent to the browser).
That way, even when future Drupal bugs are discovered, at least the operating system can help prevent those bugs from being exploited to cause significant damage.
I agree of course. What makes me wonder, though, don't we in Drupal 6 already include a javascript file in every request which is written by Drupal to the filesystem via the Javascript aggregator/compressor?
Isn't that exactly the same as allowing Drupal to save downloaded jQuery plugins in the file directory (not that I think this is good idea anyway)?
regards, frando
-- View this message in context: http://www.nabble.com/jQuery-1.2-is-released-tf4421190.html#a12674266 Sent from the Drupal - Dev mailing list archive at Nabble.com.