Menu
▾
▴
Re: [Exist-development] Renaming the "lib" extension
|
From: Dmitriy S. <sha...@gm...> - 2010-03-24 18:33:42
|
On Wed, 2010-03-24 at 23:24 +0500, Dmitriy Shabanov wrote: > On Wed, 2010-03-24 at 19:00 +0100, Wolfgang Meier wrote: > > shouldn't those functions be limited to a dba user? Allowing guest to > > download any jar file from certain eXist directories seems to be a > > security issue. > > Do we speak about LibFunction? I don't see any security issue there, or > I'm missing something? > > Any scenario? > > It quite hard-coded staff at the end. > As example, oXygen can use it to dynamic get eXist's jars and/or check versions. Plus list: - it fully controlled by code, no dynamic file names allow. - read only operations If I did miss something in code, please point it to me, I don't see any danger here. If kernel version is security hole, I should unplug my self right now. -- Cheers, Dmitriy Shabanov |
