http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6874
--- Comment #9 from Paul Poulain <paul.poul...@biblibre.com> 2011-10-13 13:16:11 UTC --- (In reply to comment #8) > Multiple instances is when you're running more than one koha instance on a > server. > > Having the files accessible directly through apache strikes me as problematic. > Adding an alias doesn't solve that really, and I don't think chmod 0644 will > either. For a simple example, what if someone uploads a PHP file and you have > mod_php enabled? can't it be solved just by an apache config (like "noexec" or something like that ?) > The patch has a lot of 'warn's in it, looks like debug code. Agreed, Julian, please update unconditional warns to "$debug and warn" > Most of the functions are undocumented, which is bad. If you're speaking of upload.pl, I fully agree, Julian, please add some documentation to this script. > Putting HTML/Javascript in .pl files is something that should really really be > avoided, it's violating separation of concerns (I know that other parts of > Koha > have that, that upsets me too :) It should be pushed into a template. If you speak of upload.pl, it's how it's made for all plugins and I don't think this should be changed for this one. I agree we should improve the cataloguing plugin system (& probably completely rewrite the cataloguing tool in fact), but that's outside the scope of this patch. For consistency reason I think upload.pl should continue to have this structure & embeed code & html & javascript. > I note that you search through to find a free filename. I can't tell what the > base name will be (or perhaps it's provided by the uploader), but that a) > risks > a (very unlikely) race condition, and b) could get slow if there are many > files. Perhaps include a timestamp as well? I don't understand what you mean here, so won't say anything. > If the OPAC is set so that it requires a valid login to access, then this will > still allow those files to be accessible, which is bad. True, but how could we avoid this ? should we obfuscate all files URL by providing a pass-through perl script? Something like : <a href="/cgi-bin/koha/opac-retrieve.pl?filename=blabla">Download file</a> and opac-retrieve.pl: 1- check for Opac requiring login 2- send the file Note that is would also solve your php uploaded concern right ? (Julian : if Robin confirms, ask stephane_n for what he did for Electre, it's that kind of thing) -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/