Friday, March 4, 2016

Plugin security

I'm wondering if the current checks on the plugin security are not enough or silly and in the won't-ever-prevent-much category?

Right now we check to see if the requested plug has been "authorized" and let the user decide if he/she wants to use it.

One of the things we do is to run a checksum on the main module. This is stored with the authorization. If the checksum changes, we request a new authorization.

But, it's really silly since it's very easy for a "bad person" to sidestep with by calling another module. Leave the main "plugin.py" alone and modify something it calls. And so we go down the rabbit hole.

My proposal is to dump the checksum and just ask if the directory/module is okay.

And what do you folks think. Please let me know.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

 I've been pretty neglectful in keeping this blog up-to-date. Lots of excuses ... but, I'll try to do a bit better! There is a new b...

  • MMA 19.07 ready
    I'm pleased to announce the long overdue update to MMA stable. Version 19.07 is now online and ready for your musical pursuits. Lots of ...
  • Server down
    My server host is experiencing a DDoS attack. Not just my site, but the entire site's web servers. I have no idea what the issue is ... ...
  • (no title)
     I've been pretty neglectful in keeping this blog up-to-date. Lots of excuses ... but, I'll try to do a bit better! There is a new b...