[geeklog-devel] Hmm ...
Dirk Haun
dirk at haun-online.de
Wed Jun 25 14:41:42 EDT 2008
Mark Howard wrote:
>I think this is sound security practice -
>eg. disable all potentially dangerous features, but go ahead and provide the
>ability to re-enable them through the configuration interface.
That's one way of looking at it. The other is that disabling something
after it was enabled by default previously sends a message to those that
want to use it - namely, that it's probably not a good idea to enable it.
As can be seen from the indecisive subject, I have no final opinion on
this yet ...
The exact quote from one of the WordPress people is:
>We have choosen to disable Atom Publishing Protocol and the variety of
>XML-RPC protocols by default as they expose a potential to be a
security risk.
That's very vague. You might as well just disable the entire website[1]
as it exposes a potential risk of SQL injections and XSS.
I thought that the "A Real Solution" section from the Red Sweater blog -
possible financial interest on their part aside - had some good points.
But maybe I only agree with them because it's what we're doing in 1.5.0 ;-)
bye, Dirk
[1] whatever software it's running on - this wasn't meant as a stab at
WordPress
--
http://www.haun-online.de/
http://spam.tinyweb.net/
More information about the geeklog-devel
mailing list