[development] SQLite and Drupal 7 -- third coming
Damien Tournoud
damz at prealable.org
Wed Feb 4 17:18:35 UTC 2009
On Wed, Feb 4, 2009 at 5:23 PM, Chris Johnson <cxjohnson at gmail.com> wrote:
> From a security point of view, any time the web server process has
> write access to any directory or file, it makes me nervous. For this
> SQLite scheme to work, obviously the web server process will have to
> be able to create and update the file in which the SQLite database
> resides. This seems like it provides another possible vector for
> exploits. Tell me how we will protect against such attacks.
That's an excellent point. It has been chx' concern from the beginning.
If you read http://drupal.org/node/367660, you will see that a whitelist of
paths retrieved from the registry has been made just for that.
Damien Tournoud
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20090204/82e15fe4/attachment-0001.htm
More information about the development
mailing list