http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812
Galen Charlton <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |In Discussion Severity|blocker |normal --- Comment #16 from Galen Charlton <[email protected]> --- (In reply to comment #13) > Just a *dumb* question: But why should these "open source files" -- by no > means :) -- be exposed through the browser? > Much of this stuff will be from the standard install, available online > elsewhere. > Some small customizations are probably not of a "to be hidden nature". > The larger custom work that for some reason should not be public (pity btw! > we encourage to submit patches) can be hidden by a pro :) > > Not in any way wanting to discourage your sending of patches! Well, the motivation isn't to hide code or customizations per se, it's to reduce the risk that the webserver could be made to send out sensitive configuration information, e.g., DB passwords or the like. In this specific case, there isn't anything (to my knowledge) in modules, xslt, and includes that would be useful to an attacker, although I could certainly see a customizer getting lazy and (say) hardcoding credentials into a template. The upshot is that I see this patch as a useful direction to be thinking towards, and I'm not opposed to pushing it (once Tomás' concerns are addressed), but I think even better would be to move Since the revert is done, I'm setting this one to in discussion. I'm also setting the the criticality back to 'normal'. If there is a *specific* security issue that warrants blocker status, please let me know. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
