Jump to content

Security hole in TextformatterHannaCode?


Recommended Posts

Just posting this here as I raised an issue some time ago about TextformatterHannaCode module, which has not been responded to or addressed (see https://processwire.com/talk/topic/3745-hanna-code/page/18/?tab=comments#comment-217245  and https://github.com/ryancramerdesign/ProcessHannaCode/issues/26). I have also recently raised a PR (https://github.com/ryancramerdesign/ProcessHannaCode/pull/27) to fix it.

Essentially the problem is that, if you have a PHP Hanna Code which is namespaced (ProcessWire), then the module will remove the namespace (irritating in itself), but also (and maybe more seriously) it will omit the line

if(!defined("PROCESSWIRE")) die("no direct access");

which is potentially a security weakness.

The PR is a simple one-word fix.

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...