[dokuwiki] Handling security issues in DokuWiki plugins
- From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx <dokuwiki@xxxxxxxxxxxxx>
- Date: Tue, 11 Mar 2008 22:54:38 +0100
Hi all!
Thanks to the efforts of Andy Webber multiple security vulnerabilities
were discovered in DokuWiki plugins recently. Andy sent a mail to the
authors and CCed me. Unfortunately very few plugin authors seem to
respond to the issues and fix them.
I thought a while on how to handle the situation. To protect innocent
users I decided to go for a full disclosure policy. Here is how it
works:
Whenever someone discovers a security issue in a plugin there should be
done two things:
1. Send an email to the author of the plugin, explaining the problem
2. Add an 'securityissue' field to the data in the plugin page. This
field should contain a short description of the problem.
Here is an example of a plugin page with a marked security problem:
http://wiki.splitbrain.org/plugin:dailymotion
Doing the latter serves two purposes: first it makes it very obvious
that there is a problem with the plugin. Secondly it will hide the
plugin from the list on wiki:plugins.
In an ideal world we would have the manpower to have a security team
which would check each and every plugin. Unfortunately this is not the
case.
To help plugin authors with writing secure code, I started a page on
http://wiki.splitbrain.org/wiki:plugins:security - it would be great if
everybody could have a look at it and improve it.
Andi
--
http://www.splitbrain.org
Other related posts:
