[documentation] PHP snippets (once again)
cel4145 at cyberdash.com
cel4145 at cyberdash.com
Sun May 7 14:57:17 UTC 2006
There is an alternative to simply unpublishing for the problem snippets:
* Enable the "edit book pages" and "view revisions" access controls on
drupal.org for authenticated users so that everyone can edit any page and view
the different versions (isn't it about time we turned these on anyway?).
* Replace the entire text in the node with a security note that warns of the
vulnerabilities.
* Include in the replacement text an invitation to people (anyone) to look at
the previous version and submit an updated version by editing the page.
This takes fixing the security holes out of the docs and security team's hands
and still allows people--with clear warning--to view the original snippet.
Quoting Heine Deelstra <info at ustilago.org>:
> Dear doc team,
>
> I looked at several snippets yesterday and to my horror many of them
> contain *obvious*, major security holes. I've spoken with the leader
> of the security team (chx) and we agreed to unpublish all obviously
> insecure snippets, then have a discussion based on numbers (ok vs.
> not ok) and how to proceed.
More information about the documentation
mailing list