winterhazel commented on issue #12523: URL: https://github.com/apache/cloudstack/issues/12523#issuecomment-3811417331
> [@winterhazel](https://github.com/winterhazel) , any thoughts? @DaanHoogland regarding the startup failure, it is the behavior I find correct for this situation. There should also be a clear message in the logs informing that there was an issue while decrypting this configuration's value, so that operators know what to look into. I have some thoughts about `js.interpretation.enabled` though. I do not have access to the discussion regarding the CVE that prompted the introduction of this setting to know why it was handled that way. However, I think that it should not have been made a hidden setting with an encrypted value, and should be enabled by default. The vulnerability was fixed as far as I am aware; also, the APIs that allow configuring scripts (host, Quota tariff, and secondary storage selector configuration) should only be accessible to people with access to the infrastructure. Hence, if a new vulnerability with the interpreter gets discovered and exploited, that is not an issue with the platform, but internal permission granting issues. Other features that come enabled by default may have vulnerabilities that we are not aware of yet, but that's not a reason for we to disable them by default. Having it as a hidden encrypted setting just makes it unnecessarily difficult for operators to use the featur es. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
