[Koha-devel] buildrelease

Andrew Arensburger arensb at ooblick.com
Sat Sep 21 15:15:01 CEST 2002 

	I've been looking at the 'buildrelease' script, and have a few
comments and questions about it.

	For one thing, it looks for ".kohaautobuild.conf" and "docs/"
in root's home directory, rather than in the current user's home
directory or the CVS build directory. I assume these are considered
bugs.

	Also, it uses "cp -a", which isn't portable (neither FreeBSD's
nor Solaris's 'cp' take a "-a" option).

	The way it builds the distribution directory (which will be
tarred up as the distribution tarball) is to copy everything from the
CVS build directory into /tmp/koha-1.2.3/intranet-cgi, and then move
things around, or delete unwanted files.
	The problem with this is that it can leave an awful lot of
cruft in the intranet-cgi directory, which might therefore wind up in
the end-user's internal/cgi-bin directory. I don't know about y'all,
but I tend to generate a fair number of temporary files that shouldn't
wind up in the release.
	For instance, if I find a security hole in "somescript.pl", I
might make a backup copy "somescript.pl.buggy" for reference before
fixing the bug. The way 'buildrelease' and the installation
instructions are currently written, "somescript.pl.buggy" will wind up
in a number of end-users' internal/cgi-bin directories. And since the
source and revision history are there for all to see, it'll be fairly
easy for a black-hat to write an exploit.

	A better approach, IMO, would be to have a file that specifies
which files are to be included in the distribution, and where:

	ChangeLog*		.
	search.pl		intranet-cgi
	search.pl		opac-cgi
	koha-html/intranet-html/index.html	intranet-html
	...

So that all of the ChangeLog* files will be copied to /tmp/koha-1.2.3,
"search.pl" will be copied to both /tmp/koha-1.2.3/intranet-cgi and
/tmp/koha-1.2.3/opac-cgi, koha-html/intranet-html/index.html will be
copied to /tmp/koha-1.2.3/intranet-html, and so forth.

	If people tell me, "you found the bug, you fix it", I will.

	Oh, and a general comment about Koha: none of these CGI
scripts perform taint checks, even though they take user input. IMO
this is a Bad Thing.

-- 
Andrew Arensburger                      This message *does* represent the
arensb at ooblick.com                      views of ooblick.com
	   Reality? But there are DIRTY DISHES in Reality!

More information about the Koha-devel mailing list