Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure Composer dependency test/example code is safe #6888

Closed
asmecher opened this issue Mar 26, 2021 · 0 comments
Closed

Ensure Composer dependency test/example code is safe #6888

asmecher opened this issue Mar 26, 2021 · 0 comments
Assignees
@asmecher
Labels
Bug:3:Critical A bug that prevents a substantial minority of users from using the software.
Milestone
OJS/OMP/OPS 3.3.0-5

Comments

@asmecher
Copy link
Member

asmecher commented Mar 26, 2021
edited

Composer dependencies often come with test/example code. OJS/OMP/OPS place these within the web root, meaning these extras are web-accessible. They are also wasteful, but also potentially dangerous, as any .php scripts can be remotely invoked.

Unfortunately the Composer team is resistant to including tools to remove these (composer/composer#4438 and composer/composer#1750).

For .tar.gz packages, the build script includes a list of exclusions (https://github.com/pkp/ojs/blob/main/tools/buildpkg.sh). Review this and ensure it's up to date.

For git-based installations, we unfortunately can't exclude parts of dependencies without support in Composer, but we can ship a .htaccess file to restrict remote access to them.

It appears to be generally (but not officially) recommended that vendor be kept outside the web root; see #1832 for discussion/work that would achieve this.
@asmecher asmecher added this to the OJS/OMP/OPS 3.3.0-5 milestone Mar 26, 2021
@asmecher asmecher self-assigned this Mar 26, 2021
asmecher added a commit to pkp/ojs that referenced this issue Mar 26, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
dcc2b40
asmecher added a commit to pkp/ojs that referenced this issue Mar 26, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
ccd85e1
asmecher added a commit to pkp/ojs that referenced this issue Mar 26, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
d6af93d
asmecher added a commit to pkp/ojs that referenced this issue Mar 26, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
7555612
asmecher added a commit to pkp/ojs that referenced this issue Mar 26, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
722e334
asmecher added a commit that referenced this issue Mar 26, 2021
@asmecher
#6888 Patch plupload on install
570e990
asmecher added a commit that referenced this issue Mar 26, 2021
@asmecher
#6888 Patch plupload on install
30e5c2f
asmecher added a commit that referenced this issue Mar 26, 2021
@asmecher
#6888 Patch plupload on install
0fc2f22
asmecher added a commit that referenced this issue Mar 26, 2021
@asmecher
#6888 Patch plupload on install
3142a7d
asmecher added a commit that referenced this issue Mar 26, 2021
@asmecher
#6888 Patch plupload on install
64caac6
asmecher added a commit that referenced this issue Mar 26, 2021
@asmecher
#6888 Patch plupload on install
010a91f
asmecher added a commit to pkp/ojs that referenced this issue Mar 26, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
d29d4f8
asmecher added a commit that referenced this issue Mar 26, 2021
@asmecher
#6888 Patch plupload on install
61abda4
asmecher added a commit to pkp/ojs that referenced this issue Mar 26, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
a9905a0
asmecher added a commit to pkp/omp that referenced this issue Mar 26, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
b831ceb
asmecher added a commit to pkp/omp that referenced this issue Mar 26, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
d444c7c
asmecher added a commit to pkp/omp that referenced this issue Mar 26, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
0f06288
asmecher added a commit to pkp/omp that referenced this issue Mar 26, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
62fe1a3
asmecher added a commit to pkp/omp that referenced this issue Mar 26, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
134e0f1
asmecher added a commit that referenced this issue Mar 26, 2021
@asmecher
#6888 Patch plupload on install
47656e3
asmecher added a commit to pkp/omp that referenced this issue Mar 26, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
624b631
asmecher added a commit that referenced this issue Mar 26, 2021
@asmecher
#6888 Patch plupload on install
78649c5
asmecher added a commit to pkp/omp that referenced this issue Mar 26, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
21d2b6a
asmecher added a commit to pkp/ops that referenced this issue Mar 26, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
0ff708e
asmecher added a commit to pkp/ops that referenced this issue Mar 26, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
5eefce4
asmecher added a commit to pkp/ops that referenced this issue Mar 26, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
4885875
asmecher added a commit to pkp/ops that referenced this issue Mar 26, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
1b949fa
asmecher added a commit that referenced this issue Mar 29, 2021
@asmecher
#6888 Update plupload dependency instead of patching
b71439c
asmecher added a commit that referenced this issue Mar 29, 2021
@asmecher
#6888 Update plupload dependency instead of patching
f1de92b
asmecher added a commit that referenced this issue Apr 7, 2021
@asmecher
#6888 Update composer lockfile
f53d7ff
asmecher added a commit to pkp/ojs that referenced this issue Apr 7, 2021
@asmecher
pkp/pkp-lib#6888 Exclude example code from distribution package
c2d3eff
@asmecher asmecher added the Bug:3:Critical A bug that prevents a substantial minority of users from using the software. label Apr 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@asmecher asmecher

Labels
Bug:3:Critical A bug that prevents a substantial minority of users from using the software.
Projects
None yet
Milestone
OJS/OMP/OPS 3.3.0-5
Development

No branches or pull requests
1 participant
@asmecher