MarkE Posted April 4, 2023 Posted April 4, 2023 Just posting this here as I raised an issue some time ago about TextformatterHannaCode module, which has not been responded to or addressed (see https://processwire.com/talk/topic/3745-hanna-code/page/18/?tab=comments#comment-217245 and https://github.com/ryancramerdesign/ProcessHannaCode/issues/26). I have also recently raised a PR (https://github.com/ryancramerdesign/ProcessHannaCode/pull/27) to fix it. Essentially the problem is that, if you have a PHP Hanna Code which is namespaced (ProcessWire), then the module will remove the namespace (irritating in itself), but also (and maybe more seriously) it will omit the line if(!defined("PROCESSWIRE")) die("no direct access"); which is potentially a security weakness. The PR is a simple one-word fix. 2
WillyC Posted April 12, 2023 Posted April 12, 2023 not security hole files .in /site/assets/cache/HannaCode not web access-ible so no need to die() 3
MarkE Posted April 12, 2023 Author Posted April 12, 2023 1 hour ago, WillyC said: no need to die() That’s good (although @ryanobviously wanted to include it for some reason). The namespacing issue is still a problem, though, so I think the fix is needed.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now