[Koha-bugs] [Bug 7804] Add Koha Plugin System
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon May 21 22:50:36 CEST 2012
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7804
--- Comment #24 from Jared Camins-Esakov <jcamins at cpbibliography.com> ---
(In reply to comment #22)
> (In reply to comment #21)
> > I've done some more thinking about the security implications of the plugin
> > system. I think the following are required for this to be sufficiently
> > secure for use:
> > * Both a syspref *and* a configuration setting in koha-conf.xml should be
> > required to enable plugins, and both should be disabled by default.
> > * Even when plugins are enabled, a separate koha-conf.xml configuration
> > setting should be required to enable upload from the staff client.
> > * The plugins should be loaded with Module::Load::Conditional, and each type
> > of plugin (Tools, Reports, etc.) should use a different interface. e.g.
> > Koha::Plugin::Foobar->run_report() and Koha::Plugin::Foobar->run_tool()
> > * The plugin host should enable mandatory taint checking.
> > * Under no circumstances should the plugin feature add a +Exec directory.
>
> I can understand the configuration setting requirements. However, I cannot
> understand how to use Module::Load::Conditional, even after looking at the
> example patch you pointed me to. I don't feel it is quite fair to require
> the use of a poorly documented perl module. Can you please justify these
> requirements?
You can also use Module::Load if you'd prefer to handle error conditions
yourself.
As for why I think this is necessary, consider a plugin which is nothing but a
one-line forkbomb. Having an executable file doesn't even require someone to
follow an API. They can simply download one of the gazillion of examples of how
to take down your server with one line (just, what, 9 characters if you're
using bash?), zip it up with your example ini file, and bring down the server.
Or a plugin which actually just contains a command line script for
reinitializing your Koha database for testing. Accidentally zip that up with
your plugin, have someone connect to it (and there's no need for authentication
to access a plugin, notice!), and your production server is pristine. Like the
cheese shop, it is very clean.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list