[documentation] PHP snippets (once again)
Kieran Lal
kieran at civicspacelabs.org
Sun May 7 15:51:08 UTC 2006
On May 7, 2006, at 7:26 AM, Heine Deelstra wrote:
> Dear doc team,
>
> I looked at several snippets yesterday and to my horror many of
> them contain *obvious*, major security holes. I've spoken with the
> leader of the security team (chx) and we agreed to unpublish all
> obviously insecure snippets, then have a discussion based on
> numbers (ok vs. not ok) and how to proceed.
>
> In the limited sample set I've reviewed until now > 50% of the
> snippets either
>
> - bypass 'access' security (sometimes titles, sometimes full nodes)
> - allow XSS
> - allow SQL injection
> - allow a combination of the above
How about a write page called common security flaws in snippets. In
the Drupal community we spend more time explaining coding style then
we do teaching new users how to avoid security flaws in contributed
modules or in snippets. Security awareness has to become part of the
culture and that means explaining security vulnerabilities in public
and educating the community.
Cheers,
Kieran
>
> Regards,
>
> Heine
>
> PS Should we decide to continue with php snippets in this way, I'll
> also be the one to publish them again :(
> --
> Pending work: http://drupal.org/project/issues/documentation/
> List archives: http://lists.drupal.org/pipermail/documentation/
>
More information about the documentation
mailing list