Some improvements
jenot - December 21, 2008 - 02:35
| Project: | Plugin Manager |
| Version: | 6.x-1.7 |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | jenot |
| Status: | closed |
Jump to:
Description
Patch contain
- N x clean some errors
- 1 x usage improvement
- md5sum hack
Thinking that manual inserting md5sum improve security is silly.
Guys, think a while.
| Attachment | Size |
|---|---|
| jenots.patch | 4.15 KB |
#1
Believe it or not, there's a method to our madness (or in this case silliness. ;) As such, there is a reason that we are manually inserting the md5sum. In this case, we are using it to verify that the package is what it claims to be. If the server falls victim to dns poisoning, then when it tries to connect to drupal.org it might really be connected instead to an attacker's computer. Thus, the attacker could show the file and md5sum as being whatever they want (since it is being read off their system), tricking the system into downloading and installing the wrong software. By putting the iframe there, however, both the client and the server have to connect to drupal.org. Even if the server falls victim to dns poisoning, the attacker has no way to change the md5sum that the user sees.
Annoying yes, but it actually does add a layer of security. We're working at adding code to use cUrl on systems that support it. Hopefully that should help the annoyance factor.
As for the rest of the patch, I'll take a look at it.
Thanks for the contribution.
#2
I applied the part of the patch that dealt with hiding the errors, rather than blabing them to the screen. Good stuff.
Thanks.
J Rogers
#3
In the production servers, such as web hosting servers it isn't possible to use dns poisoning to attack drupal.org site.
But if you want higer level of security get md5sums from drupal.org by https and check certificate.
It solve problem with dns poisoning.
I use this to make secure connections between host mashines of cluster.
sorry for my english ;)
#4
As long as humans write and administer the software on servers, dns poisoning attacks are possible. It all boils down to this: you are potentially putting your trust in one person having a flawless setup. (Not to mention the software you are running not to have any exploitable bugs.) My weekly subscription to a few of securityfocus's newsletters make me think this has yet to be done. It might not be as likely, but it is still entirely too possible.
You are correct however about the secure connection. If a secure connection can be established to drupal.org, then we will not have to ask the user for an md5sum. This is actually number two on my todo list for plugin manager. Number one is quashing the existing show-stopper bugs.
#5
Automatically closed -- issue fixed for two weeks with no activity.