[dev] default backends

Jan Schneider jan at horde.org
Tue Feb 15 18:29:36 UTC 2011


Zitat von Vilius ?umskas <vilius at lnk.lt>:

> Sveiki,
>
> Tuesday, February 15, 2011, 7:47:02 PM, you wrote:
>
>> Not to mention the security concerns.  We ship a configuration default
>> that we think makes sense, and it turns out that it opens a security
>> hole on my particular installation.
>
> That's  very  good  point. Imagine that I'm admin and I have a backend
> configured  with  my  secret  username  and password. Suddently, Horde
> developers   change   'hostname'  key  of  the config array to 'host'.
> Boom,  you  installation  ends  up logding into completely different
> server.   Even  if it  points to  'example.com'  I  don't  want  the  
>  password
> transmitted through the internet.
>
> Maybe  some  kind  of configuration file versioning/prioritizing could
> help here?

This is all nice and fine, but it has nothing to do with the recent  
changes, because the same is true with the old way of providing  
configuration files too. We tell admins to update all configuration  
files after updating an application. If he does like we tell him to  
do, he will get the new defaults that we deem appropriate too.

Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/



More information about the dev mailing list