[Koha-bugs] [Bug 23890] Plugins that utilise possibly security breaching hooks should warn
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Oct 28 19:53:54 CET 2019
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23890
--- Comment #2 from Martin Renvoize <martin.renvoize at ptfs-europe.com> ---
I've changed my mind on this one... whilst going through existing hooks and
trying to pick which methods potentially exposed us to nefarious code I pretty
much decided that they all could.
+ 'opac_online_payment' => '1',
+ 'opac_online_payment_end' => '1',
+ 'opac_online_payment_begin' => '1',
+ 'to_marc' => '1',
+ 'edifact_transport' => '1',
+ 'edifact_process_invoice' => '1',
+ 'edifact_order' => '1',
+ 'edifact' => '1',
+ 'opac_head' => '1',
+ 'opac_js' => '1',
+ 'intranet_head' => '1',
+ 'intranet_js' => '1',
+ 'intranet_catalog_biblio_enhancements_toolbar_button' => '1',
As such, I think warning on some but not others could actually lead us to worse
situation where inexperienced system administrators are lulled into a false
sense of security.
In reality, I feel we need a cleaner delivery method for plugins as a community
and perhaps a signing procedure to state a certain level of trust/quality.
This is something I've wanted to work on for some time but not had a moment to
implement to date.
As such, I don't believe this should hold up bug 22706.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list