[TYPO3-core] [TYPO3-security] RFC: EM displays insecure extensions
Michael Stucki
michael at typo3.org
Tue Feb 20 22:01:29 CET 2007
Rupert Germann wrote:
> On Tuesday 20 February 2007 12:22, Karsten Dambekalns wrote:
> ...
>> > Question: it seems that "-1" extensions will be in db but there is no
>> > way to see them in EM. So, why do we need them in db at all?
>>
>> Your own extension will still be visible, even if insecure. That
>> should work, at least. :)
>
> it doesn't. Either 'AND NOT reviewstate < 0' or 'AND reviewstate > 0' is
> added to the query so reviewstate=-1 will never be displayed.
Correct, and I think it is perfectly fine this way. But I also have to agree
with Dmitry: Why should negative reviewstates be written into the database?
Or even more: Why should they stay in the file at all?
In any way: I have now committed the attached patches to Trunk (slightly
modified Karstens version) and also committed the unmodified 4.0 patch in
TYPO3_4-0 (after reviewing it, too).
So the issue is now fixed, but the sense behind keeping insecure extensions
in extensions.xml.gz is still questionable...
- michael
--
Use a newsreader! Check out
http://typo3.org/community/mailing-lists/use-a-news-reader/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: em_fixes_trunk_w.diff
Type: text/x-diff
Size: 2712 bytes
Desc: not available
Url : http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20070220/72fc893f/attachment.bin
More information about the TYPO3-team-core
mailing list