[Koha-bugs] [Bug 25370] Create whitelist of plugins allowed to be installed
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue May 5 01:42:59 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25370
--- Comment #1 from David Cook <dcook at prosentient.com.au> ---
I am thinking the whitelist would contain an entry like
"Koha::Plugin::Com::ByWaterSolutions::CSV2MARC".
However, another plugin could pretend to be that same one. A malicious plugin
could pretend to be a popular plugin and thus defeat the whitelist.
With Bug 24632, that would be far less likely. You could set up your plugin
keys so that only Bywater Solutions is trusted, and then only
"Koha::Plugin::Com::ByWaterSolutions::CSV2MARC" is allowed on the whitelist.
It is still possible to have collisions if you trust more than one provider and
they use the same name, but that is unlikely due to the naming conventions Kyle
created from the start. Different vendors should use their company names like
"Koha::Plugin::Com::ProsentientSystems::OaiHarvester" (which one day I hope to
be a real thing).
Plus, if we did start using vendor/community Github/Gitlab as repositories, we
could potentially limit the likelihood of people sourcing plugins from obscure
locations.
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list