thorough security audit and permissions functionality
spiderman - June 20, 2008 - 13:29
| Project: | Discuss This! |
| Version: | 5.x-1.x-dev |
| Component: | Code |
| Category: | task |
| Priority: | critical |
| Assigned: | spiderman |
| Status: | closed |
Jump to:
Description
a major piece of work I've yet to complete for this module is to review it for security holes and ensure that the access permissions are working as desired.
#1
will be committing a patch for this later today..
#2
considering this fixed as of commit #123086, tho I'm not 100% sure I've done the right thing with the check_plain I added in the _discussthis_set_topic function..
#3
<?php$result = db_query(db_rewrite_sql($sql), check_plain($title));
?>
check_plain is not required here because $title is checked when injected into the query.
#4
ah, sweet- thanks for the tip! i kinda thought i was being overzealous, but didn't want to be underzealous, anyway ;)
i'll remove that line in a subsequent commit, and consider this issue closed. fortunately, the module doesn't really do anything much with user input, so it's relatively easy to keep things secure.
#5
Automatically closed -- issue fixed for two weeks with no activity.