[development] jQuery 1.2 is released

Frando frando2 at unbiskant.org
Fri Sep 14 12:25:50 UTC 2007 

To clarify. When it comes to PHP code, everything is absolutely clear: Never
allow Drupal to write its own code. Never. Ever. We really discussed this
often enough. There might be possiblities by using an FTP layer, though.
There's an issue for that somewhere.

JavaScript is different, though. For someone to exploit a Drupal site by
saving a modified, malicious JavaScript file at a path where it gets
included in every request, he needs a major security hole in the site (one
that allows him to save random files at random paths). Given that security
hole, he most likely has already other ways to add random, malicious
JavaScript to every page request (He could e.g. add a PHP block with no
title and text to each page which then includes the malicious JavaScript. He
could also add the JavaScript to the aggregated CSS file, which also lives
in the writeable file directory. JavaScript in CSS files gets executed by
most modern browsers.). 

So, allowing Drupal to write its JavaScript files (which we already do in
Drupal 6 with the JavaScript aggregator) is not a security risk. If we would
count this as a security risk, we would have to get rid of  both the CSS and
the JS aggregator.

regards,
Frando


Frando wrote:
> 
> 
> Derek Wright-2 wrote:
>> 
>> 
>> 
>> To be extra clear, I should state: letting httpd or php write to the  
>> drupal sources *AT ALL* is a risk.  Even if the only "legitimate" way  
>> that is coded into the system requires a special privilege, and  
>> access to admin/jquery/update, so long as the operating system *ever*  
>> allows httpd or php to write to those directories, there's a  
>> potential vulnerability.  Any minor bug then could become a critical  
>> exploit.  So, as a precaution, the operating system itself (not  
>> Drupal's code) should enforce that Drupal can never write to the  
>> files that Drupal is trying to execute (either php source or .js  
>> that's sent to the browser). 
>> 
>> That way, even when future Drupal bugs  
>> are discovered, at least the operating system can help prevent those  
>> bugs from being exploited to cause significant damage.
>> 
>> 
> I agree of course. What makes me wonder, though, don't we in Drupal 6
> already include a javascript file in every request which is written by
> Drupal to the filesystem via the Javascript aggregator/compressor?
> 
> Isn't that exactly the same as allowing Drupal to save downloaded jQuery
> plugins in the file directory (not that I think this is good idea anyway)?
> 
> regards,
> frando
> 

-- 
View this message in context: http://www.nabble.com/jQuery-1.2-is-released-tf4421190.html#a12674266
Sent from the Drupal - Dev mailing list archive at Nabble.com.

More information about the development mailing list