winterhazel commented on issue #12523: URL: https://github.com/apache/cloudstack/issues/12523#issuecomment-3853102387
@shwstppr as I commented in https://github.com/apache/cloudstack/issues/12523#issuecomment-3811417331: the known vulnerabilities pertaining the JS were patched, weren't they? Other features that come enabled by default almost certainly have vulnerabilities that we are not aware of yet, but we cannot put them behind a hidden setting due to a hypothetical security issue. If we were consistent with how the JS interpretation was handled, then we would have to also disable and hide features like [direct download](https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3/), [volume/template upload and register](https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3/), which had CVEs in the past, and all other functionalities that uses administrator/user input in a shell/python script. The [extraconfig feature](https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.1-4.18.1.1/) could also be used to abuse the environment. Following your logic, root admins should not be able to see/change this configuration, yet the configurations related to this feature are not hidden. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
