Friday, March 4, 2016

Plugin security

I'm wondering if the current checks on the plugin security are not enough or silly and in the won't-ever-prevent-much category?

Right now we check to see if the requested plug has been "authorized" and let the user decide if he/she wants to use it.

One of the things we do is to run a checksum on the main module. This is stored with the authorization. If the checksum changes, we request a new authorization.

But, it's really silly since it's very easy for a "bad person" to sidestep with by calling another module. Leave the main "plugin.py" alone and modify something it calls. And so we go down the rabbit hole.

My proposal is to dump the checksum and just ask if the directory/module is okay.

And what do you folks think. Please let me know.

No comments:

Post a Comment

Truncate

I just found a minor bug in the TRUNCATE code. It didn't accept an integer argument for the Side= option. The underlying code all worked...