Friday, March 4, 2016

Plugin security

I'm wondering if the current checks on the plugin security are not enough or silly and in the won't-ever-prevent-much category?

Right now we check to see if the requested plug has been "authorized" and let the user decide if he/she wants to use it.

One of the things we do is to run a checksum on the main module. This is stored with the authorization. If the checksum changes, we request a new authorization.

But, it's really silly since it's very easy for a "bad person" to sidestep with by calling another module. Leave the main "plugin.py" alone and modify something it calls. And so we go down the rabbit hole.

My proposal is to dump the checksum and just ask if the directory/module is okay.

And what do you folks think. Please let me know.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

 I've been pretty neglectful in keeping this blog up-to-date. Lots of excuses ... but, I'll try to do a bit better! There is a new b...

  • MMA 16.06.c ... get it now
    This is the last 16.06 that will be posted. Next month I will be releasing 19.01. So there! In the meantime could you please grab this ver...
  • (no title)
     I've been pretty neglectful in keeping this blog up-to-date. Lots of excuses ... but, I'll try to do a bit better! There is a new b...
  • MMA 19.07 ready
    I'm pleased to announce the long overdue update to MMA stable. Version 19.07 is now online and ready for your musical pursuits. Lots of ...