Re: PHP snippets (once again)

On May 7, 2006, at 7:26 AM, Heine Deelstra wrote:

> Dear doc team,
>
> I looked at several snippets yesterday and to my horror many of  
> them contain *obvious*, major security holes. I've spoken with the  
> leader of the security team (chx) and we agreed to unpublish all  
> obviously insecure snippets, then have a discussion based on  
> numbers (ok vs. not ok) and how to proceed.
>
> In the limited sample set I've reviewed until now > 50% of the  
> snippets either
>
> - bypass 'access' security (sometimes titles, sometimes full nodes)
> - allow XSS
> - allow SQL injection
> - allow a combination of the above

How about a write page called common security flaws in snippets.   In  
the Drupal community we spend more time explaining coding style then  
we do teaching new users how to avoid security flaws in contributed  
modules or in snippets.  Security awareness has to become part of the  
culture and that means explaining security vulnerabilities in public  
and educating the community.

Cheers,
Kieran
> Regards,
>
> Heine
>
> PS Should we decide to continue with php snippets in this way, I'll  
> also be the one to publish them again :(
> --
> Pending work: http://drupal.org/project/issues/documentation/
> List archives: http://lists.drupal.org/pipermail/documentation/

--
Pending work: http://drupal.org/project/issues/documentation/
List archives: http://lists.drupal.org/pipermail/documentation/