Bug 5994 - Remove all executable pages/controllers from pkp/lib.
Remove all executable pages/controllers from pkp/lib.
Status: RESOLVED WONTFIX
Product: OJS
Classification: Unclassified
Component: General
2.4.x
PC Linux
: P3 normal
Assigned To: PKP Support
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-28 21:13 PDT by jerico
Modified: 2013-03-25 12:02 PDT (History)
1 user (show)

See Also:
Version Reported In: 2.3.3
Also Affects: OCS 2.3.4, OHS 2.3.2, OMP 1.0


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description jerico 2010-09-28 21:13:49 PDT
As an additional security measure executable pages should only be in the applications so that there is no danger at all that they could be used from applications that don't implement them (e.g. from the Harvester). We can make sure that pages cannot be executed from lib/pkp by adapting the router to no longer search for pages in the library and introduce simple wrapper classes in the applications' page directory.
Comment 1 Alec Smecher 2013-03-25 12:02:59 PDT
On further thought, I'm content to allow controllers to be invoked directly in lib-pkp. Currently controllers that are "incomplete" (i.e. potentially dangerous, e.g. with unimplemented authorize() functions) live in classes/controllers, where they cannot be invoked directly; it's fair to assume that anything in lib/pkp/controllers should be considered safe to execute.