There's a security issue with using SF for our web and wiki. It's as
follows.
The web and wiki must be able to write the data somewhere. This data must
be writable by the apache user. Unfortunately, this means that any other
project at SF will also be able to write to our data... oops.
Bo and I have verified this, and I've asked a question on the PmWiki list
for any remedies. After that, one option is to as SF about it.
Unfortunately I pessimistic that there will be an easy solution.
So... my question is if we are ok with the security risk, i.e. that some
malicious person(s) create a project and use that to modify our web pages.
We do have SVN for the web pages, so those are pretty easy to revert.
It's worse with the files uploaded by users, which would have to be stored
in a similar manner. Here an evil script could modify them without us
noticing, and since it's not possible to send emails from SF, the earlier
mechanism to notice changes will not pick it up either :-(
/Christian
--
Christian Ridderström Mobile: +46-70 687 39 44
