Mailing-List: contact general-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: general@incubator.apache.org
Received-SPF: neutral (athena.apache.org: local policy)
MIME-Version: 1.0
In-Reply-To: <200911181542.39471.josh_thompson@ncsu.edu>
References: <200911181542.39471.josh_thompson@ncsu.edu>
Date: Tue, 24 Nov 2009 10:14:14 +0000
Message-ID: <30b2aef60911240214y7b763a1fs749e16b97393a506@mail.gmail.com>
Subject: Re: [VOTE] release Apache VCL 2.1
From: Leo Simons <mail@leosimons.com>
To: general@incubator.apache.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hey hey,

On Wed, Nov 18, 2009 at 8:42 PM, Josh Thompson <josh_thompson@ncsu.edu> wro=
te:
> The Apache VCL community voted on and approved a proposal to release Apac=
he
> VCL 2.1. =A0We would like to request the endorsement of the Incubator PMC=
 to
> publish this release.
>
> The release artifact, sums, and GPG signature can be found here:
> http://people.apache.org/~jfthomps/apache-VCL-2.1-RC2-incubating/

1) Basic package looks good to me, though I didn't try to install or
run it. I checked RAT and checksums and read the various instructions.

2) The licensing situation looks 'interesting' - you have a few GPLed
dependencies like MySQL and mcrypt and Nmap without which I imagine
the product doesn't work. I would like to see VCL run on a non-GPL
database and be ensured that it can function without other
viral-licensed components as hard dependencies, some time before
graduation (I think its ok to release, as long as some kind of plan is
in place).

3) There is no website yet? You really have to do a basic homepage
over at http://incubator.apache.org/vcl/, for example so that you can
point people at mirrors (see http://www.apache.org/dev/#mirror about
the mirroring system).

4) Since this is PHP code I did a cursory code review for SQL
injection / XSS / etc. It seems like that's had some attention, but at
a glance maybe its not quite perfect? For example checkAccess() in
utils.php:

		$xmlpass =3D $_SERVER['HTTP_X_PASS'];
		if(get_magic_quotes_gpc())
			$xmlpass =3D stripslashes($xmlpass);

where $xmlpass is used moments later to execute SQL:

			$query =3D "SELECT x.id "
			       . "FROM xmlrpcKey x, "
			       .      "user u "
			       . "WHERE x.ownerid =3D u.id AND "
			       .       "u.unityid =3D '$xmluser' AND "
			       .       "x.key =3D '$xmlpass' AND "
			       .       "x.active =3D 1";

Another piece of suspect code would be in submitLogin() in
authentication.php which does not appear to validate the
$_POST['password']. I'm by no means a PHP expert so I might be making
a fool of myself here, but better safe than sorry. So, can you explain
(preferably on, err, your website) what measures are in place to guard
against things like SQL injection and XSS?

thanks,

Leo

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org