[development] jQuery 1.2 is released
Earl Miles
merlin at logrus.com
Thu Sep 13 15:38:31 UTC 2007
Daniel F. Kudwien wrote:
>> Um, perhaps you all have not seen previous threads about the hazards of
>> allowing executable code in a writeable directory?
>>
>> -Peter
>
> By referencing to those 'obvious' discussions without any link or quote, I'm
> feeling quite stupid now. I've searched drupal.org, the development list
> archives and Google for the terms executable, code, writeable, directory(,
> drupal). Guess what? I did not find any thread containing useful,
> deep-insight information about why other systems like JOS/MOS are (more or
> less) successfully using writable directories for their modules [components]
> for quite some time now and Drupal is not.
Here's the summary:
By allowing uploaded files to be run as code, any minor bug in the
server or site software, anywhere, that could allow the uploading of
arbitrary files could then ovewrite code that is run; this could then
allow a much larger hack that could totally take over the site.
Ordinarily, code is not writeable by the webserver user, so any bug that
allows the uploading of arbitrary files simply cannot overwrite code,
and the impact is therefore minimized.
The reality is that the script kiddies are everywhere and always on the
look out for these bugs, too.
More information about the development
mailing list