http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7804
Chris Cormack <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #23 from Chris Cormack <[email protected]> --- (In reply to comment #22) > (In reply to comment #21) > > I've done some more thinking about the security implications of the plugin > > system. I think the following are required for this to be sufficiently > > secure for use: > > * Both a syspref *and* a configuration setting in koha-conf.xml should be > > required to enable plugins, and both should be disabled by default. > > * Even when plugins are enabled, a separate koha-conf.xml configuration > > setting should be required to enable upload from the staff client. > > * The plugins should be loaded with Module::Load::Conditional, and each type > > of plugin (Tools, Reports, etc.) should use a different interface. e.g. > > Koha::Plugin::Foobar->run_report() and Koha::Plugin::Foobar->run_tool() > > * The plugin host should enable mandatory taint checking. > > * Under no circumstances should the plugin feature add a +Exec directory. > > I can understand the configuration setting requirements. However, I cannot > understand how to use Module::Load::Conditional, even after looking at the > example patch you pointed me to. I don't feel it is quite fair to require > the use of a poorly documented perl module. Can you please justify these > requirements? You have read http://search.cpan.org/dist/Module-Load-Conditional/lib/Module/Load/Conditional.pm eh? I don't find it particularly badly documented. ABd it is part of Perl core, so is not a new dependency Module::Load::Conditional is but one way of solving a loading modules on the fly. I am sure you understand why an +Exec directory is a bad idea, and why using taint is a good one. As well as being off by default and unable to be turned on via the web is a good one. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
