Item12327: SafeWikiPlugin: reworked code signing system

pencil
Priority: Enhancement
Current State: Being Worked On
Released In: n/a
Target Release:
Applies To: Extension
Component: SafeWikiPlugin
Branches: trunk
Reported By: JanKrueger
Waiting For: JanKrueger
Last Change By: JanKrueger
The current code signing in SafeWikiPlugin is (a) unsafe to due its use of the broken MD5 algorithm and (b) not flexible enough for Foswiki:

  • Some plugins, most notably JQueryPlugin, dynamically generate JavaScript code. Signing something dynamic is currently impossible. Plugins could, in theory, be trusted to embed safe JS code, but currently they aren't and so this kind of code is needlessly filtered away.
  • Since signatures for script code included in Foswiki are installed via LSC, this field can't easily be used by administrators for adding their own signatures – each Foswiki update would require manual work to merge the changes. This makes the field rather useless. Similarly, plugins that come with their own embedded JavaScript have no simple way of passing signatures to SWP.

I've implemented a new signing system that I will commit soon. I'd appreciate testers and feedback.

-- JanKrueger - 03 Jan 2013

 
Topic revision: r10 - 28 Feb 2013, JanKrueger - This page was cached on 15 Jun 2017 - 14:47.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License