[TYPO3-dev] Services architecture
Helmut Hummel
helmut.hummel at typo3.org
Thu Mar 24 18:47:59 CET 2011
Hi,
Christian Lerrahn (Cerebrum) wrote:
> On Thu, 24 Mar 2011 10:48:59 +0100
> Steffen Ritter<info at rs-websystems.de> wrote:
> [...]
>> I think this should officially be discussed and decided by the
>> security team.
I think it should be discussed officially on this list. There's no need
to reduce the number of involved people in this discussion.
>> As already pointed out I see no difference if you inject some code
>> just reading a variable, or calling some more lines and decrypting it
>> with rsaauth itself... As soon as you are able to execute php code it
>> does not matter, I think.
Without making an official statement at this point:
I personally totally agree with this point of view.
But I also want to hear at least Marcus' statement on that, since he
seemed to be the first one rasing concerns in handing over the decrypted
password to another part of the code.
>> So please make this an official ticket at security team and Helmut
>> should post the decision you made here.
We mainly have a private ticket system which gives us the possibility to
implement a responsible disclosure policy and having a central point
where security issues or security concerns can be reported to.
Of course we happily help out with questions (addressed to the official
email) as time allows, but for discussing future architectual changes
which affect security, an open mailing list ist the right place.
> I have taken it on me to send an email to
> securityATtypo3.org to formally move a motion for this issue to be
> assessed and a conclusion to be reached by the security team.
Thanks. I answerd you via PM already that we should discuss this publicly.
> A copy of
> my motion went to you (Steffen Ritter) and Dmitry Dulepov to give you
> opportunity to comment on it.
So please continue the discussion here. I will come up with a conclusion
after all arguments have been layed out.
Kind regards,
Helmut
--
Helmut Hummel
TYPO3 Security Team Leader
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-dev
mailing list