[Koha-bugs] [Bug 6874] File upload in MARC
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Oct 13 15:16:11 CEST 2011
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6874
--- Comment #9 from Paul Poulain <paul.poulain at biblibre.com> 2011-10-13 13:16:11 UTC ---
(In reply to comment #8)
> Multiple instances is when you're running more than one koha instance on a
> server.
>
> Having the files accessible directly through apache strikes me as problematic.
> Adding an alias doesn't solve that really, and I don't think chmod 0644 will
> either. For a simple example, what if someone uploads a PHP file and you have
> mod_php enabled?
can't it be solved just by an apache config (like "noexec" or something like
that ?)
> The patch has a lot of 'warn's in it, looks like debug code.
Agreed, Julian, please update unconditional warns to "$debug and warn"
> Most of the functions are undocumented, which is bad.
If you're speaking of upload.pl, I fully agree, Julian, please add some
documentation to this script.
> Putting HTML/Javascript in .pl files is something that should really really be
> avoided, it's violating separation of concerns (I know that other parts of Koha
> have that, that upsets me too :) It should be pushed into a template.
If you speak of upload.pl, it's how it's made for all plugins and I don't think
this should be changed for this one.
I agree we should improve the cataloguing plugin system (& probably completely
rewrite the cataloguing tool in fact), but that's outside the scope of this
patch. For consistency reason I think upload.pl should continue to have this
structure & embeed code & html & javascript.
> I note that you search through to find a free filename. I can't tell what the
> base name will be (or perhaps it's provided by the uploader), but that a) risks
> a (very unlikely) race condition, and b) could get slow if there are many
> files. Perhaps include a timestamp as well?
I don't understand what you mean here, so won't say anything.
> If the OPAC is set so that it requires a valid login to access, then this will
> still allow those files to be accessible, which is bad.
True, but how could we avoid this ? should we obfuscate all files URL by
providing a pass-through perl script? Something like :
<a href="/cgi-bin/koha/opac-retrieve.pl?filename=blabla">Download file</a>
and opac-retrieve.pl:
1- check for Opac requiring login
2- send the file
Note that is would also solve your php uploaded concern right ?
(Julian : if Robin confirms, ask stephane_n for what he did for Electre, it's
that kind of thing)
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
More information about the Koha-bugs
mailing list