[Vtigercrm-developers] Roadmap and safety Vtiger & forks
Alan Bell
alan.bell at libertus.co.uk
Fri May 13 10:27:44 GMT 2016
OK, so in the linked commit, there is a new class AppRequest in
include/http/Request.php (it is in "includes" in vtiger at the moment
because yetiforce folded the /includes/ into /include/ a while back)
This class parses fields out of the $_REQUEST data in a number of ways,
and does it properly and would be a central point to add extra checks at
some point.
The commit also includes rewriting pretty much everywhere that $_REQUEST
is directly used in the codebase to use this new class. It is a good
improvement preventing various potential attacks (mostly attacks by
authenticated users, but probably some unauthed stuff, particularly
around password resetting)
I think it also removes the following files on the basis that they are
no longer used, I am not sure if that is true for vtiger
include/utils/InventoryUtils.php
include/utils/export.php
modules/Calendar/iCalExport.php
modules/Calendar/iCalImport.php
modules/ModComments/ModCommentsWidgetHandler.php
modules/OSSTimeControl/Save.php
modules/Reports/AdvancedFilter.php
modules/Reports/CustomReportUtils.php_deprecated
modules/Reports/ReportChartRun.php_deprecated
modules/Reports/ReportSharing.php
modules/Reports/ReportType.php
modules/Users/Authenticate.php
so the commit clearly won't apply cleanly to vtiger, but it is good
stuff and we should incorporate it.
I actually pulled a copy of yetiforce from github to code.vtiger.com the
other day, in the hope of being able to figure out how to efficiently
move stuff between the systems, and work out what the differences
actually were at this stage.
http://code.vtiger.com/alanbell/yetiforce
I opened an issue for this topic here
http://code.vtiger.com/vtiger/vtigercrm/issues/203
Alan.
On 13/05/16 10:55, Błażej Pabiszczak wrote:
>
> Every now and then we send information about security errors, not only
> to Vtiger, but also to creators of Vtiger modules. In most of the
> cases, these changes aren't fixed. I don't understand why security is
> a taboo subject, and why nobody considers our comments [maybe we
> should report each of these cases publicly? Or maybe we should record
> a video on how to break into the OD version?] Any ideas?
>
> The code that is currently added to Vtiger is of low quality, and
> since releasing v6.0 nobody has been really dealing with the
> development as far as quality and security are considered.
> Unfortunately, we inherited a lot of code from Vtiger [it also applies
> to other forks – CoreBOS, VTE CRM]. The majority of errors we point
> out are related to not clearing the variables, and storing useless old
> files full of holes. Let's see what the reaction to this post is, if
> you ignore it we won't publish info like that anymore, it's a waste of
> our time. Take into consideration that our system doesn't have many of
> the modules that are in Vtiger because we wrote them from scratch, so
> the link below is not a ready solution, it only points out part of the
> found errors. Vtiger
>
> Therefore I suggest making a contest – how long does it take for
> serious security errors to be fixed, and an update package to be
> released, after publishing the errors on this mailing list.
>
> * https://github.com/YetiForceCompany/YetiForceCRM/commit/4746cda904c88a26cce22194fb76f64d3df9893d
>
>
> ---
> Z poważaniem / Regards
> *Błażej Pabiszczak*
> /Chief Executive Officer/
> M: +48.884999123
> E: b.pabiszczak at yetiforce.com <mailto:b.pabiszczak at yetiforce.com>
>
>
>
> _______________________________________________
> http://www.vtiger.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20160513/02075f1f/attachment-0001.html>
More information about the vtigercrm-developers
mailing list