[ic] Adding a system wide module

Jeff Fearn jefffearn at gmail.com
Tue Feb 1 01:24:59 EST 2005


On Tue, 1 Feb 2005 00:12:18 -0500, Mike Heins <mike at perusion.com> wrote:

> It shouldn't be. Otherwise you would have to allow all code, and that is
> dangerous. We have very few hacks and instabilities in IC considering
> the power of the tag language, and a major reason is the use of Safe.
> 
> You can do whatever you desire with AllowGlobal, but you shouldn't want
> to. In order to do something securely on your pages you should do a
> pretty intensive study of the security and stability implications. If
> you are like most people, you won't, and security suffers.

Open the system wide up _is_ poor practice, however allowing specific
modules to be used system wide _within_ the Safe is not.

Using Tags is just abstracting from placing the module within the
Safe, you should be able to do this programatically without affecting
security and without using a tag.
 
> I always seem talk about security because it makes people and admins
> take notice. But probably the bigger practical bonus is stability. If
> you can do file opens and shell commands from pages, you have a strong
> possibility of creating instability in your catalog.
> 
> Instead of spending that time ensuring against all that, take the few
> minutes to make a UserTag connector. Reusable, allows integration
> directly into the page with ITL, and a much more known risk from a
> security standpoint.

Your security arguments against adding a module only hold if you do
that by removing the security entirely and to a lesser extent if you
add a single module outside of the Safe. If you just want to be able
to bypass the Tag stuff and place a module into the Safe you should,
theoretically, be able to do so without affecting security.

I'm sure the tagging system is powerful, however it seems at least as
complex to use as perl so there seems little reason to have it. The
abstraction from perl is just a destraction for me, I'm sure others
would disagree strongly with that though :)

I guess when you come late to the party you have to suck it up and enjoy it ;)

Jeff


More information about the interchange-users mailing list