[development] jQuery 1.2 is released

Frando frando2 at unbiskant.org
Fri Sep 14 11:23:22 UTC 2007

Derek Wright-2 wrote:
> To be extra clear, I should state: letting httpd or php write to the  
> drupal sources *AT ALL* is a risk.  Even if the only "legitimate" way  
> that is coded into the system requires a special privilege, and  
> access to admin/jquery/update, so long as the operating system *ever*  
> allows httpd or php to write to those directories, there's a  
> potential vulnerability.  Any minor bug then could become a critical  
> exploit.  So, as a precaution, the operating system itself (not  
> Drupal's code) should enforce that Drupal can never write to the  
> files that Drupal is trying to execute (either php source or .js  
> that's sent to the browser). 
> That way, even when future Drupal bugs  
> are discovered, at least the operating system can help prevent those  
> bugs from being exploited to cause significant damage.
I agree of course. What makes me wonder, though, don't we in Drupal 6
already include a javascript file in every request which is written by
Drupal to the filesystem via the Javascript aggregator/compressor?

Isn't that exactly the same as allowing Drupal to save downloaded jQuery
plugins in the file directory (not that I think this is good idea anyway)?

View this message in context: http://www.nabble.com/jQuery-1.2-is-released-tf4421190.html#a12673287
Sent from the Drupal - Dev mailing list archive at Nabble.com.

More information about the development mailing list