Menu
▾
▴
Re: [Exist-development] Renaming the "lib" extension
|
From: James F. <jam...@gm...> - 2010-03-24 18:39:23
|
Can someone point me to the unit tests for this functionality ... perhaps we can use testing to discover (and assert) just how safe this thing is ... I know we have talked before about unit tests ... my feeling is at a minimum everything core should get acceptance only if source comes with unit tests; whilst this wont guarantee anything it is always a good place to start. J On Wed, Mar 24, 2010 at 7:31 PM, Dmitriy Shabanov <sha...@gm...> wrote: > On Wed, 2010-03-24 at 23:24 +0500, Dmitriy Shabanov wrote: >> On Wed, 2010-03-24 at 19:00 +0100, Wolfgang Meier wrote: >> > shouldn't those functions be limited to a dba user? Allowing guest to >> > download any jar file from certain eXist directories seems to be a >> > security issue. >> >> Do we speak about LibFunction? I don't see any security issue there, or >> I'm missing something? >> >> Any scenario? >> >> It quite hard-coded staff at the end. >> > > As example, oXygen can use it to dynamic get eXist's jars and/or check > versions. > > Plus list: > - it fully controlled by code, no dynamic file names allow. > - read only operations > > If I did miss something in code, please point it to me, I don't see any > danger here. If kernel version is security hole, I should unplug my self > right now. > > -- > Cheers, > > Dmitriy Shabanov > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Exist-development mailing list > Exi...@li... > https://lists.sourceforge.net/lists/listinfo/exist-development > > |
