[development] jQuery 1.2 is released
Frando
frando2 at unbiskant.org
Fri Sep 14 11:23:22 UTC 2007
Derek Wright-2 wrote:
>
>
>
> To be extra clear, I should state: letting httpd or php write to the
> drupal sources *AT ALL* is a risk. Even if the only "legitimate" way
> that is coded into the system requires a special privilege, and
> access to admin/jquery/update, so long as the operating system *ever*
> allows httpd or php to write to those directories, there's a
> potential vulnerability. Any minor bug then could become a critical
> exploit. So, as a precaution, the operating system itself (not
> Drupal's code) should enforce that Drupal can never write to the
> files that Drupal is trying to execute (either php source or .js
> that's sent to the browser).
>
> That way, even when future Drupal bugs
> are discovered, at least the operating system can help prevent those
> bugs from being exploited to cause significant damage.
>
>
I agree of course. What makes me wonder, though, don't we in Drupal 6
already include a javascript file in every request which is written by
Drupal to the filesystem via the Javascript aggregator/compressor?
Isn't that exactly the same as allowing Drupal to save downloaded jQuery
plugins in the file directory (not that I think this is good idea anyway)?
regards,
frando
--
View this message in context: http://www.nabble.com/jQuery-1.2-is-released-tf4421190.html#a12673287
Sent from the Drupal - Dev mailing list archive at Nabble.com.
More information about the development
mailing list