[development] jQuery 1.2 is released

Derek Wright drupal at dwwright.net
Fri Sep 14 01:11:29 UTC 2007 

On Sep 13, 2007, at 5:34 PM, Earnie Boyd wrote:

> How can this become an issue if only administrators have the  
> privilege?

Various other people in this thread were proposing that the site  
could automatically download and install/activate jQuery plugins  
(either new plugins, or new releases of existing plugins).  This  
would require the website having write access to its own jquery  
plugin folder.  This is the giant security hole we've pointed out,  
and which you seem to understand.

The confusion is between people who sanely understand that the only  
safe solution to this problem is for the human admin to manually  
upload/install new jquery plugins outside of drupal (scp, ftp, rsync,  
whatever -- some process with write access to the drupal sources  
which is *NOT* initiated via httpd and php) and the people who think  
that the site could somehow upgrade itself.

To be extra clear, I should state: letting httpd or php write to the  
drupal sources *AT ALL* is a risk.  Even if the only "legitimate" way  
that is coded into the system requires a special privilege, and  
access to admin/jquery/update, so long as the operating system *ever*  
allows httpd or php to write to those directories, there's a  
potential vulnerability.  Any minor bug then could become a critical  
exploit.  So, as a precaution, the operating system itself (not  
Drupal's code) should enforce that Drupal can never write to the  
files that Drupal is trying to execute (either php source or .js  
that's sent to the browser).  That way, even when future Drupal bugs  
are discovered, at least the operating system can help prevent those  
bugs from being exploited to cause significant damage.

Hope that helps clarify,
-Derek (dww)


p.s. If only shared hosting companies understood this. :(  Sadly,  
most of them seem to run all of your httpd and php processes as the  
same user that owns all the files (presumably since that's easier and  
cheaper for them to manage, do accounting on, suspend your account  
when it uses "too many resources" etc).  But, what's more profitable  
for the shared hosting provider is more dangerous for the customer.   
Ahh, the joys of capitalism.

More information about the development mailing list