25 Mar
2011
25 Mar
'11
10:01 a.m.
Hi Caleb,
On 03/25/2011 12:23 AM, Caleb James DeLisle wrote:
Sometimes there is a grey area between a security
vulnerability and a really nice feature. I think
it is important that everyone understand what a user should be able to do and what a user
should not
be able to do since "that's not a bug, that's a feature" is cold
comfort to a user who just
discovered that his security requirements were not met. Also, having a standard laid down
will allow
us to better classify security issues if they are discovered (I can proudly say that we
have
improved here by leaps and bounds) I have a draft document which attempts to detail that
line
between bug and feature and I think it is time to move it into main space.
http://dev.xwiki.org/xwiki/bin/view/Drafts/Security+Specifications
WDYT?
Indeed, we need such a document. A few remarks:
* 2.4 duplicates 2.2
* 7.3 is a bit confusing because until that point document title and
document content are viewed separately (e.g. 5.2 and 5.3)
* 8.5 is not quite correct because you can instantiate and load classes
from velocity but not directly. You can't use the new operator and you
don't have access to the Java reflection API but by simply writing:
#set($list = [1, 2, 3])
you are creating a new instance of ArrayList.
Thanks,
Marius
Caleb
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs