Multiple instances is when you're running more than one koha instance on a server.
Having the files accessible directly through apache strikes me as problematic. Adding an alias doesn't solve that really, and I don't think chmod 0644 will either. For a simple example, what if someone uploads a PHP file and you have mod_php enabled? can't it be solved just by an apache config (like "noexec" or something like
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6874 --- Comment #9 from Paul Poulain <paul.poulain@biblibre.com> 2011-10-13 13:16:11 UTC --- (In reply to comment #8) that ?)
The patch has a lot of 'warn's in it, looks like debug code.
Agreed, Julian, please update unconditional warns to "$debug and warn"
Most of the functions are undocumented, which is bad. If you're speaking of upload.pl, I fully agree, Julian, please add some documentation to this script.
Putting HTML/Javascript in .pl files is something that should really really be avoided, it's violating separation of concerns (I know that other parts of Koha have that, that upsets me too :) It should be pushed into a template.
If you speak of upload.pl, it's how it's made for all plugins and I don't think this should be changed for this one. I agree we should improve the cataloguing plugin system (& probably completely rewrite the cataloguing tool in fact), but that's outside the scope of this patch. For consistency reason I think upload.pl should continue to have this structure & embeed code & html & javascript.
I note that you search through to find a free filename. I can't tell what the base name will be (or perhaps it's provided by the uploader), but that a) risks a (very unlikely) race condition, and b) could get slow if there are many files. Perhaps include a timestamp as well? I don't understand what you mean here, so won't say anything.
If the OPAC is set so that it requires a valid login to access, then this will still allow those files to be accessible, which is bad. True, but how could we avoid this ? should we obfuscate all files URL by providing a pass-through perl script? Something like : <a href="/cgi-bin/koha/opac-retrieve.pl?filename=blabla">Download file</a> and opac-retrieve.pl: 1- check for Opac requiring login 2- send the file
Note that is would also solve your php uploaded concern right ? (Julian : if Robin confirms, ask stephane_n for what he did for Electre, it's that kind of thing) -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug.