[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue May 21 20:29:25 CEST 2013
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812
Galen Charlton <gmcharlt at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Passed QA |In Discussion
Severity|blocker |normal
--- Comment #16 from Galen Charlton <gmcharlt at gmail.com> ---
(In reply to comment #13)
> Just a *dumb* question: But why should these "open source files" -- by no
> means :) -- be exposed through the browser?
> Much of this stuff will be from the standard install, available online
> elsewhere.
> Some small customizations are probably not of a "to be hidden nature".
> The larger custom work that for some reason should not be public (pity btw!
> we encourage to submit patches) can be hidden by a pro :)
>
> Not in any way wanting to discourage your sending of patches!
Well, the motivation isn't to hide code or customizations per se, it's to
reduce the risk that the webserver could be made to send out sensitive
configuration information, e.g., DB passwords or the like.
In this specific case, there isn't anything (to my knowledge) in modules, xslt,
and includes that would be useful to an attacker, although I could certainly
see a customizer getting lazy and (say) hardcoding credentials into a template.
The upshot is that I see this patch as a useful direction to be thinking
towards, and I'm not opposed to pushing it (once Tomás' concerns are
addressed), but I think even better would be to move
Since the revert is done, I'm setting this one to in discussion. I'm also
setting the the criticality back to 'normal'. If there is a *specific*
security issue that warrants blocker status, please let me know.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list