[development] jQuery 1.2 is released
frando2 at unbiskant.org
Fri Sep 14 11:23:22 UTC 2007
Derek Wright-2 wrote:
> To be extra clear, I should state: letting httpd or php write to the
> drupal sources *AT ALL* is a risk. Even if the only "legitimate" way
> that is coded into the system requires a special privilege, and
> access to admin/jquery/update, so long as the operating system *ever*
> allows httpd or php to write to those directories, there's a
> potential vulnerability. Any minor bug then could become a critical
> exploit. So, as a precaution, the operating system itself (not
> Drupal's code) should enforce that Drupal can never write to the
> files that Drupal is trying to execute (either php source or .js
> that's sent to the browser).
> That way, even when future Drupal bugs
> are discovered, at least the operating system can help prevent those
> bugs from being exploited to cause significant damage.
I agree of course. What makes me wonder, though, don't we in Drupal 6
Isn't that exactly the same as allowing Drupal to save downloaded jQuery
plugins in the file directory (not that I think this is good idea anyway)?
View this message in context: http://www.nabble.com/jQuery-1.2-is-released-tf4421190.html#a12673287
Sent from the Drupal - Dev mailing list archive at Nabble.com.
More information about the development