http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6803 --- Comment #13 from Frère Sébastien Marie <semarie-koha@latrappe.fr> 2011-11-07 09:19:08 UTC --- (In reply to comment #12)
Thanks for more tests! Do you think that is safer to replace this remote include by the way?
From another point of view (consistency), I would like to replace it too; it is the only remaining remote include in a xslt file in Koha.
It will be better to not depend of external source. If I remember well about XSLT processing, XML::LibXSLT don't use security by default (and koha don't set it). But, this remote inclusion is *not* a security issue (if you trust LOC), as for successfully use this vector, an attacker should: - or compromise LOC (change what it is included) - or compromise your local network infrastructure (DNS, router, server, ...) So the risk is low (not null, but low). -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.