New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure Composer dependency test/example code is safe #6888
Labels
Bug:3:Critical
A bug that prevents a substantial minority of users from using the software.
Milestone
Comments
asmecher
added a commit
to pkp/ojs
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
to pkp/ojs
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
to pkp/ojs
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
to pkp/ojs
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
to pkp/ojs
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
to pkp/ojs
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
to pkp/ojs
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
to pkp/omp
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
to pkp/omp
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
to pkp/omp
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
to pkp/omp
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
to pkp/omp
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
to pkp/omp
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
to pkp/omp
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
to pkp/ops
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
to pkp/ops
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
to pkp/ops
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
to pkp/ops
that referenced
this issue
Mar 26, 2021
asmecher
added a commit
that referenced
this issue
Mar 29, 2021
asmecher
added a commit
that referenced
this issue
Mar 29, 2021
asmecher
added a commit
that referenced
this issue
Apr 7, 2021
asmecher
added a commit
to pkp/ojs
that referenced
this issue
Apr 7, 2021
asmecher
added
the
Bug:3:Critical
A bug that prevents a substantial minority of users from using the software.
label
Apr 7, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Composer dependencies often come with test/example code. OJS/OMP/OPS place these within the web root, meaning these extras are web-accessible. They are also wasteful, but also potentially dangerous, as any .php scripts can be remotely invoked.
Unfortunately the Composer team is resistant to including tools to remove these (composer/composer#4438 and composer/composer#1750).
For
.tar.gz
packages, the build script includes a list of exclusions (https://github.com/pkp/ojs/blob/main/tools/buildpkg.sh). Review this and ensure it's up to date.For git-based installations, we unfortunately can't exclude parts of dependencies without support in Composer, but we can ship a
.htaccess
file to restrict remote access to them.It appears to be generally (but not officially) recommended that
vendor
be kept outside the web root; see #1832 for discussion/work that would achieve this.The text was updated successfully, but these errors were encountered: