[development] SQLite and Drupal 7 -- third coming

Damien Tournoud damz at prealable.org
Wed Feb 4 17:18:35 UTC 2009

On Wed, Feb 4, 2009 at 5:23 PM, Chris Johnson <cxjohnson at gmail.com> wrote:

> From a security point of view, any time the web server process has
> write access to any directory or file, it makes me nervous.  For this
> SQLite scheme to work, obviously the web server process will have to
> be able to create and update the file in which the SQLite database
> resides.  This seems like it provides another possible vector for
> exploits.  Tell me how we will protect against such attacks.

That's an excellent point. It has been chx' concern from the beginning.

If you read http://drupal.org/node/367660, you will see that a whitelist of
paths retrieved from the registry has been made just for that.

Damien Tournoud
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20090204/82e15fe4/attachment-0001.htm 

More information about the development mailing list