https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27434 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- (In reply to Jonathan Druart from comment #4)
To be clear, I implemented it like that to provide an "allow list" of tasks we can executed. Otherwise we will potentially execute anything we don't have the hand on it.
However we may want to assume that if the DB is corrupted, it's too late already...
I suppose that's a case of security vs convenience. Having an allow list would be more secure, but less convenient - especially for plugins. What are the potential threats? Malicious Perl plugins? Other parts of the system sending malicious messages to RabbitMQ? Malicious Perl plugins are already a problem. Malicious messages would have to be extremely well crafted and even then... unlikely to do any harm especially if we used a hook like "run_koha_background_task". -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.