[Koha-bugs] [Bug 6803] Removing remote include in MODS xslt
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Nov 7 10:19:08 CET 2011
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6803
--- Comment #13 from Frère Sébastien Marie <semarie-koha at latrappe.fr> 2011-11-07 09:19:08 UTC ---
(In reply to comment #12)
> Thanks for more tests!
> Do you think that is safer to replace this remote include by the way?
>
> From another point of view (consistency), I would like to replace it too; it is
> the only remaining remote include in a xslt file in Koha.
It will be better to not depend of external source.
If I remember well about XSLT processing, XML::LibXSLT don't use security by
default (and koha don't set it).
But, this remote inclusion is *not* a security issue (if you trust LOC), as for
successfully use this vector, an attacker should:
- or compromise LOC (change what it is included)
- or compromise your local network infrastructure (DNS, router, server, ...)
So the risk is low (not null, but low).
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list