Bug 5994 – Remove all executable pages/controllers from pkp/lib.

Bug 5994 - Remove all executable pages/controllers from pkp/lib.

Summary:

Remove all executable pages/controllers from pkp/lib.

Status:	RESOLVED WONTFIX

Product:	OJS
Classification:	Unclassified
Component:	General
Version:	2.4.x
Platform:	PC Linux

Importance:	P3 normal
Assigned To:	PKP Support

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2010-09-28 21:13 PDT by jerico
Modified:	2013-03-25 12:02 PDT (History)
CC List:	1 user (show)

See Also:
Version Reported In:	2.3.3
Also Affects:	OCS 2.3.4, OHS 2.3.2, OMP 1.0

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description jerico 2010-09-28 21:13:49 PDT

As an additional security measure executable pages should only be in the applications so that there is no danger at all that they could be used from applications that don't implement them (e.g. from the Harvester). We can make sure that pages cannot be executed from lib/pkp by adapting the router to no longer search for pages in the library and introduce simple wrapper classes in the applications' page directory.

Comment 1 Alec Smecher 2013-03-25 12:02:59 PDT

On further thought, I'm content to allow controllers to be invoked directly in lib-pkp. Currently controllers that are "incomplete" (i.e. potentially dangerous, e.g. with unimplemented authorize() functions) live in classes/controllers, where they cannot be invoked directly; it's fair to assume that anything in lib/pkp/controllers should be considered safe to execute.