koha-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Koha-devel] buildrelease

From: Andrew Arensburger
Subject: [Koha-devel] buildrelease
Date: Sat Sep 21 15:15:01 2002
User-agent: Mutt/1.2.5.1i 
        I've been looking at the 'buildrelease' script, and have a few
comments and questions about it.

        For one thing, it looks for ".kohaautobuild.conf" and "docs/"
in root's home directory, rather than in the current user's home
directory or the CVS build directory. I assume these are considered
bugs.

        Also, it uses "cp -a", which isn't portable (neither FreeBSD's
nor Solaris's 'cp' take a "-a" option).

        The way it builds the distribution directory (which will be
tarred up as the distribution tarball) is to copy everything from the
CVS build directory into /tmp/koha-1.2.3/intranet-cgi, and then move
things around, or delete unwanted files.
        The problem with this is that it can leave an awful lot of
cruft in the intranet-cgi directory, which might therefore wind up in
the end-user's internal/cgi-bin directory. I don't know about y'all,
but I tend to generate a fair number of temporary files that shouldn't
wind up in the release.
        For instance, if I find a security hole in "somescript.pl", I
might make a backup copy "somescript.pl.buggy" for reference before
fixing the bug. The way 'buildrelease' and the installation
instructions are currently written, "somescript.pl.buggy" will wind up
in a number of end-users' internal/cgi-bin directories. And since the
source and revision history are there for all to see, it'll be fairly
easy for a black-hat to write an exploit.

        A better approach, IMO, would be to have a file that specifies
which files are to be included in the distribution, and where:

        ChangeLog*              .
        search.pl               intranet-cgi
        search.pl               opac-cgi
        koha-html/intranet-html/index.html      intranet-html
        ...

So that all of the ChangeLog* files will be copied to /tmp/koha-1.2.3,
"search.pl" will be copied to both /tmp/koha-1.2.3/intranet-cgi and
/tmp/koha-1.2.3/opac-cgi, koha-html/intranet-html/index.html will be
copied to /tmp/koha-1.2.3/intranet-html, and so forth.

        If people tell me, "you found the bug, you fix it", I will.

        Oh, and a general comment about Koha: none of these CGI
scripts perform taint checks, even though they take user input. IMO
this is a Bad Thing.

-- 
Andrew Arensburger                      This message *does* represent the
address@hidden                      views of ooblick.com
           Reality? But there are DIRTY DISHES in Reality!
reply via email to
[Prev in Thread] Current Thread [Next in Thread]