Hi Everybody,
My 0.2 cents as a security expert ...
Start customizing trac I'm concerned about existing plugin deployment
Concerns:
1. By default Trac plugins deployed to site-wide location it's bad as
Trac plugins has no meaning outside of trac and was not tested outside
of trac for possible conflicts and security issues.
2. trac project admin could use any plugins he wants changing
inherit.plugin_dirs and it's uncontrollable.
3. Any py file dropped to plugin directory will treated as a plugin and
could cause user-visible error or other security issues; from other site
it's not possible to move plugins directory outside trac project tree
(e.g. to make it accessible for dedicated python programmer)
4. Removed plugins leave orphaned entries in trac.ini
5. python support __main__.py as entry point of a module, I guess trac
support for egg-less modules simplify plugin development.
Proposal (IMHO, of course)
1. Multiple plugin dirs,specified in trac.conf explicitly, no default or
inherited one - e.g.
plugin_dirs=/opt/trac/plugins,~vasya/trac_plugins
2. No autoenable
3. Component config should be moved out of conf/trac.ini to conf/plugins.ini
4. Each plugins dir have to contain plugins.ini with explicit list
of files to load/classes to enable or autoenable. Project admin
could explicitly disable plugin in conf/plugins.ini if it's autoenabled,
explicitly enable if it's enabled but couldn't
enable it if it's disabled.
5. Support for just a module directory with __main__.py as well as egg
format
6.(stage II) Each plugin should have it's own ini file instead of
trashing trac.ini
7. (stage II) Add an ability to list projects with
enabled/autoenabled/disabled status for each of them in plugins.ini
8. (stage II) Add an ability to specify required permissions in plugins.ini
-Dmitry
--
Dmitry Samersoff
[email protected], http://devnull.samersoff.net
* I do want to change the world, I don't want the world to change me
--
You received this message because you are subscribed to the Google Groups "Trac
Development" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/trac-dev?hl=en.
