[Koha-devel] Bug 5636
Galen Charlton
gmc at esilibrary.com
Mon Dec 12 18:07:02 CET 2011
Hi,
On 12/12/2011 11:24 AM, Ian Walls wrote:
> My difficulty with this patch is that it sets precedent for implementing
> both commandline and staff client interfaces for a single script. Up
> until now, that's not be the case (as far as my research has shown;
> counter-examples welcome). I just think we need, for consistency sake,
> to either make this the standard practice, or require separate cronjobs.
I think it goes beyond just consistency. Without having looked at the
particular script in question, most/all command-line scripts produce
output files. No big deal, right? But if the script can also run as a
CGI script, keep in mind that it runs with the same privileges as the
whatever user the webserver is running as. If such a script has a bug
that allows it to be run by Apache *and* invoke one or more of the
command-line output file options, in principle it could scribble over
other files.
Such an attack may be more theoretical than real, but my preference
would be that if a script's logic should be accessible from the command
line and the web interface, to put the logic in the API and have the CGI
and CLI scripts just be thin wrappers.
Regards,
Galen
--
Galen Charlton
Director of Support and Implementation
Equinox Software, Inc. / The Open Source Experts
email: gmc at esilibrary.com
direct: +1 770-709-5581
cell: +1 404-984-4366
skype: gmcharlt
web: http://www.esilibrary.com/
Supporting Koha and Evergreen: http://koha-community.org &
http://evergreen-ils.org
More information about the Koha-devel
mailing list