[Demexp-dev] Re: Two questions: account password change and PHP allow_url_fopen requirement

[Augustin]

Hi David,


Ooops! I forgot to reply to this mail...

On Monday 23 October 2006 01:58 am, David MENTRE wrote:
> Hello Augustin,
>
> I have two questions related to your code and Drupal:
>
>  1. Is it possible for the demexp admin in Drupal to change the demexp
>     password of a Drupal user? It happens that demexp users loose their
>     passwords and I need to be able to give them a new one.

??? Did you code a method for that? 
As you know, I haven't implemented any of the admin methods yet.
If you feel it's urgent, I'll work on the admin methods as soon as the new 
site is launched.


>  2. Can Drupal and your demexp module work with allow_url_fopen
>     disabled? It is apparently the cause of a great number of recent
>     attacks:
>       http://lwn.net/Articles/203086/
>       Remote file inclusion vulnerabilities

Drupal developers, just like in any major open source CMS project, take 
security matters very seriously. 
If we apply all security patches as they are released, we have nothing to 
fear.
In my module, I use the Drupal API precisely so that I can code secure code 
easily. 

I am not sure if the core of Drupal needs it, but some contrib modules use it 
(though we may not need them). 
allow_url_fopen is ON at a major host I am using for one of my sites.

The problem is not about it being ON or OFF, but insecure code that do not 
validate and sanitize variables. 

If it makes a difference, turn it on, and be happy :)


Augustin.






-- 
http://www.wechange.org/
Because we and the world need to change.
 
http://www.reuniting.info/
Intimate Relationships, peace and harmony in the couple.

http://www.gnosis-usa.com/
Revolutionary Psychology, White Tantrism, Dream Yoga...

http://www.masquilier.org/
Condorcet, Approval alternative, better voting methods.