[TYPO3-dev] [TYPO3-v4] Removing the feature "Enable extensions without review (basic security check)" from EM
Oliver Klee
typo3-german-02 at oliverklee.de
Wed May 12 23:19:55 CEST 2010
Hi,
I'm +1 for removing that checkbox.
Am 12.05.2010 22:49, schrieb Marcus Krause:
> Only admins have access to the EM - a small number of TYPO3 users. I
> expect them to know/understand the checkbox's meaning.
[snip]
> We have an extension security policy that most of TYPO3 users aren't
> aware of. This checkbox might remember users that only a small number of
> extensions in TER are completely audited in regards to security.
>
> In 99% of the TER extensions you are exposed to the risk to install
> insecurely written extensions.
I agree that we need awareness of this fact.
Yet, as long as the EM is configured to only use reviewed extensions, it
don't that it's feasible to find the extensions (and current versions)
needed for building a site.
And having that checkbox getting enabled in all installations first time
the admin uses the EM to import extensions doesn't help either.
I propose removing the checkbox, and adding a warning flash message
(with a warning about that extensions from the TER might be insecure)
the first time a user imports an extension from the TER. We then can
store in BE_USER->uc whether the user already has seen that warning.
This will create abovementioned awareness without the usability issue
that new users don't know why they cannot find certain extensions.
Opinions?
Oli
--
Certified TYPO3 Integrator | TYPO3 Security Team Member
More information about the TYPO3-dev
mailing list