[development] jQuery 1.2 is released
frando2 at unbiskant.org
Fri Sep 14 12:25:50 UTC 2007
To clarify. When it comes to PHP code, everything is absolutely clear: Never
allow Drupal to write its own code. Never. Ever. We really discussed this
often enough. There might be possiblities by using an FTP layer, though.
There's an issue for that somewhere.
included in every request, he needs a major security hole in the site (one
that allows him to save random files at random paths). Given that security
hole, he most likely has already other ways to add random, malicious
most modern browsers.).
count this as a security risk, we would have to get rid of both the CSS and
the JS aggregator.
> Derek Wright-2 wrote:
>> To be extra clear, I should state: letting httpd or php write to the
>> drupal sources *AT ALL* is a risk. Even if the only "legitimate" way
>> that is coded into the system requires a special privilege, and
>> access to admin/jquery/update, so long as the operating system *ever*
>> allows httpd or php to write to those directories, there's a
>> potential vulnerability. Any minor bug then could become a critical
>> exploit. So, as a precaution, the operating system itself (not
>> Drupal's code) should enforce that Drupal can never write to the
>> files that Drupal is trying to execute (either php source or .js
>> that's sent to the browser).
>> That way, even when future Drupal bugs
>> are discovered, at least the operating system can help prevent those
>> bugs from being exploited to cause significant damage.
> I agree of course. What makes me wonder, though, don't we in Drupal 6
> Isn't that exactly the same as allowing Drupal to save downloaded jQuery
> plugins in the file directory (not that I think this is good idea anyway)?
View this message in context: http://www.nabble.com/jQuery-1.2-is-released-tf4421190.html#a12674266
Sent from the Drupal - Dev mailing list archive at Nabble.com.
More information about the development