[Typo3] SQL Injection - READ THIS PLEASE.
Michael Scharkow
mscharkow at gmx.net
Fri Mar 4 23:23:52 CET 2005
Peter Russ wrote:
> Nope that not quite right:
>
> Linux is not the frame work as Apache can run under different OSes. So
> if you want to compare you should do it apple by apple.
Come on, this is not an argument. Shall we blame Microsoft for Symantec
Software (which does not run under anything but Windows) being a pile of
crap?
It's just third party software which is written for TYPO3. It's not a
TYPO3 security issue, and I highly appreciate what the sec-team has
done, as I would have probably only said: Not my problem, blame the
extension author.
> I'm just wondering again:
> If Typo3 is interested in supporting extensions and missed to come up
> with a process to differentiate between experimental, alpha, beta,
> testing, stable and let the developer decide without QA ... Who creates
> the problems: the chicken or the egg?
The extension review is meant for sorting out stuff in TER, not for
cleaning crappy extensions. It's not a certification programme that
extension XYZ is secure, and I don't think the review team intends to
guarantee that the reviewed extensions are bug free and secure.
> By the way: what is a 3rd party extension at open source? And who is
> debugging the core Typo3 or 2nd party products? What's about the "hidden
> features" of the 1st party...
What is problem? Stuff in -core is maintained by the core team, the rest
is not. How clean can a distinction be?
> If you want developers to publish their extension at typo3.org you also
> have to accept the consequences if s.th. goes wrong. Or different place
> has to be established.
Ack. But allowing extensions to TER does not mean you have to maintain
them. And again, there seem to have been problems with an obviously
misleading and impolite bugtraq pr blitz...
I think the advisory is still too defensive, it should be stated more
prominently that the bug is not in TYPO3 at all.
Greetings,
Michael
More information about the TYPO3-english
mailing list