Disable insecure modules
Pasqualle - January 2, 2008 - 10:27
| Project: | Update status advanced settings |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | won't fix |
Jump to:
Description
I would like to see an option to automatically disable insecure modules (modules with security issues)
Or create an event which can trigger the disable module action..
#1
Obviously, that wouldn't work for when update.module discovers an insecure version of core. :( And, this strikes me as a potentially very bad thing to disable modules automatically. What if, for example, an access control module or a login-related module is deemed to have a security vulnerability? Disabling the module might be worse for the security of the site than the vulnerability (e.g. on a site that only allows approved users to post content, XSS might not be quite as much of a concern, but disclosing a bunch of private content by disabling an access module would be a huge problem).
So, I'm inclined to say this is a bad idea, over all. At best, I'd say someone should work towards exposing "module foo is insecure" to actions.module via http://drupal.org/node/158541 and then letting site admins click together some kind of crazy policy to decide which modules are ok to auto-disable, etc. Therefore, won't fix.