Elfyn <[EMAIL PROTECTED]> tapota :
> Hi,
>
> Lorenzo Hernandez Garcia-Hierro wrote:
>> Hi,
>>
>> I've started coding the new secuirty library.
>> Please check out or update your copy of the repository.
>> The library will be under /security .
>> Cheers.
>> PS: I modified also the line 382 ( session hashing function ) in
>> /include/session.php to use a more complex
>> hashing method.
>> Please , refer to the CVS for more information.
>
> I have a few comments regarding your changes:
>
> 1) Your change to frontend/php/include/session.php (in
> session_set_new()) completely breaks session handling - time()
> does not accept parameters. I believe you meant to use gmtime()
> here, no?
>
> 2) Your use of md5() is confusing. md5() is not a crypt()-like
> function. It simply hashes a string - no salt is needed.
> Furthermore, the second [boolean] parameter to md5() enables
> raw-binary (as apposed to hexadecimal) representation of the MD5
> sum (which, in turn, completely changes the function of
> session_set_new() and not just the algorithm it uses).
Hum, it is important to test functions before committing
them. Moreover, I think this kind of improvements would be better on a
branch. As I said previously, the trunk should never be broken.
Especially, new feature must be related to a specific issue.
Lorenzo, can you fix that problem.
>
>
> Also, your addition of frontend/php/security/security-lib.php (I'm
> talking about the XOR encoding function, here) seems to be aiming more
> toward security through obscurity than... well any other purpose.
>
> By using this function you are not only A) telling all search engines
> you do not want their business and B) telling visitors without
> javascript-enabled browsers you do not want their business either.
Hum, sure, I did not mention that, but we definitely not want Savane
to be javascript dependant.
I am not sure to understand the purpose of these new functions:
"it encodes in realtime using XOR characters the source code
of the website or just some part"
How so, why?
> You are also making any page that Savane generates non-HTML compliant
> for the purpose of "security."
>
> There's also a problem (IMHO) with introducing the body of that function
> (_fwk_filter_encrypt) into Savane:
>
> 1) I have seen many revisions of that particular function many times
> in the last couple of years, on example is sitting beside me in a
> PHP book (copyright A-LIST, LLC).
>
> 2) A search on Google for "_fwk_filter_encrypt" bears more examples,
> each with different copyright owners.
>
> Now, the problem that I have, with this piece of code, is that of
> copyright. Either it is copyright by you (OK) or it is not (not OK).
> If the former, that's cool, you can license the code under any license
> you choose; however, in the latter case you are not the copyright holder
> and therefore cannot place the code under the GPL.
>
> I don't mean the above personally. I'm just concerned that code I have
> seen before (copyright someone else) is now showing up in Savane minus
> that copyright attribution, plus your attribution...
That issue must be dealth with. If you are not the copyright owner,
did the copyright owner release that code under a free software
license? If so, which one?
To make it short:
- The priority ASAP is to deal with the issue you reported. I fixed
the two that seemed relevant, but I am still wondering about many
others issues you reported, whether they are really problematic
or not.
- You expressed the desire to work on the register_globals stuff,
and that's why I gave you access to the CVS. That's something
that has been previously discussed and should be done, so nobody
would oppose to that development.
- You did not mention that new library you want to wrote, and I
think you should first explain exactly it's purpose:
- problems it should fix
- way to do it
Regards,
--
Mathieu Roy
+---------------------------------------------------------------------+
| General Homepage: http://yeupou.coleumes.org/ |
| Computing Homepage: http://alberich.coleumes.org/ |
| Not a native english speaker: |
| http://stock.coleumes.org/doc.php?i=/misc-files/flawed-english |
+---------------------------------------------------------------------+
