Evaluate installation for security risk
| Project: | Pear |
| Version: | 6.x-0.x-dev |
| Component: | Code |
| Category: | task |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | by design |
Jump to:
You mention the module currently does this upon installation:
"A 'pear' directory is created in the sites 'files' directory. This location was chosen because any other location cannot be assumed to be writable by Drupal."
I'm not fully hip on what PEAR does and what sorts of files it will download, but is putting this stuff in your site's public files directory the best idea? For example, will this lead to me having scripts in my files directory that anyone could browse to and execute?
The Drupal file system operates by forcing the user to create their own files directory and specifying whether this is public or private. Other modules (like various components of Ubercart) also rely on the user creating a directory outside of the webroot and entering the path in a settings form. I think it's alright and maybe even expected to have the administrator specify the directory they want to store files in, and there's plenty of precedence for this from other modules.
It just becomes part of the module setup, and you can easily pop-up a warning if someone has not yet configured their PEAR directory.
#1
As far as I know, PEAR packages can't do anything by themselves. They're mostly class libraries. If PEAR packages exist that can do things simply by executing them by themselves then the Pear module installation does pose a risk when the Drupal 'files' directory is publicly viewable. Of course, this may be solvable by making sure all files within the pear directory are not executable, but an unlikely compromise--it won't mean anything on a Windows server.
You do have a good point, and I'll look into it further.
#2
The files that are downloaded during module installation don't pose any security risk. After the installation, the module's migration wizard can be used to help move the installation to a different location.
#3