[Koha-bugs] [Bug 30649] Vendor EDI account passwords should be encrypted in the database
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Nov 1 06:08:39 CET 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30649
--- Comment #14 from Victor Grousset/tuxayo <victor at tuxayo.net> ---
(In reply to Kyle M Hall from comment #9)
> (In reply to Victor Grousset/tuxayo from comment #8)
> > I don't get how to encrypt a password to an external service and still be
> > able to use the external service. Does that mean Koha can in full autonomy
> > decrypt it?
>
> Yes, we store a key in the koha konf file for encryption and decryption. I
> need to rebase this patch to use the work from Bug 28998.
Ok IIUC the security value doesn't come from encryption but from having the
date out of the DB. So a simple SQL injection can't get it.
Is there any gain compared to just storing the passwords into koha-conf.xml
directly?
(hum, maybe Koha can't write to that file and that would need a separate file)
Like is it a plausible attack scenario to be able to read the file but not the
DB? That when needing both would help.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list