Derek Wright-2 wrote:
To be extra clear, I should state: letting httpd or php write to the drupal sources *AT ALL* is a risk. Even if the only "legitimate" way that is coded into the system requires a special privilege, and access to admin/jquery/update, so long as the operating system *ever* allows httpd or php to write to those directories, there's a potential vulnerability. Any minor bug then could become a critical exploit. So, as a precaution, the operating system itself (not Drupal's code) should enforce that Drupal can never write to the files that Drupal is trying to execute (either php source or .js that's sent to the browser).
That way, even when future Drupal bugs are discovered, at least the operating system can help prevent those bugs from being exploited to cause significant damage.
I agree of course. What makes me wonder, though, don't we in Drupal 6 already include a javascript file in every request which is written by Drupal to the filesystem via the Javascript aggregator/compressor? Isn't that exactly the same as allowing Drupal to save downloaded jQuery plugins in the file directory (not that I think this is good idea anyway)? regards, frando -- View this message in context: http://www.nabble.com/jQuery-1.2-is-released-tf4421190.html#a12673287 Sent from the Drupal - Dev mailing list archive at Nabble.com.