[TYPO3] Testing Typo3 4.x
Dmitry Dulepov
typo3 at fm-world.ru
Fri Apr 7 13:48:31 CEST 2006
Hi!
Michael Scharkow wrote:
>> Unless review team works faster, people will have to use this option.
>
> Working faster might be a bad idea for security reviews... I hope now
> that 4.0 is out, there might be more manpower available for reviews.
I did not say "work less carefully", I said "faster" ;)
One good thing to have is a security checklist. Thus security team could
do multi-pass review: quick scan for possible problems (like <?
include($_GET['file']) ?>) and second pass if extension is big and
complex (like fe_user_register, for example).
Actually, if security team have such list, it could be public. This may
increse quality of extensions if authors could check their code against
such list.
Dmitry.
--
"It is our choices, that show what we truly are,
far more than our abilities." (A.P.W.B.D.)
More information about the TYPO3-english
mailing list