[TYPO3] Testing Typo3 4.x
typo3 at fm-world.ru
Fri Apr 7 13:48:31 CEST 2006
Michael Scharkow wrote:
>> Unless review team works faster, people will have to use this option.
> Working faster might be a bad idea for security reviews... I hope now
> that 4.0 is out, there might be more manpower available for reviews.
I did not say "work less carefully", I said "faster" ;)
One good thing to have is a security checklist. Thus security team could
do multi-pass review: quick scan for possible problems (like <?
include($_GET['file']) ?>) and second pass if extension is big and
complex (like fe_user_register, for example).
Actually, if security team have such list, it could be public. This may
increse quality of extensions if authors could check their code against
"It is our choices, that show what we truly are,
far more than our abilities." (A.P.W.B.D.)
More information about the TYPO3-english