Rev 644 | Rev 648 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 644 | Rev 647 | ||
---|---|---|---|
Line 6... | Line 6... | ||
6 | - BCrypt |
6 | - BCrypt |
7 | Make #rounds and length of admin password configurable (pre-baseconfig?) |
7 | Make #rounds and length of admin password configurable (pre-baseconfig?) |
8 | Include dev/bcrypt_cost_calculator somewhere in the configuration page? |
8 | Include dev/bcrypt_cost_calculator somewhere in the configuration page? |
9 | ... At least give a hint to the documentation, so they know how to run the tool and how to enter the cost in the configuration (for RA and Admin) |
9 | ... At least give a hint to the documentation, so they know how to run the tool and how to enter the cost in the configuration (for RA and Admin) |
10 | ... or in the setup page make an extra control how complex the admin password should be? but be aware that nobody enters a too big number (it makes DoS possible!) |
10 | ... or in the setup page make an extra control how complex the admin password should be? but be aware that nobody enters a too big number (it makes DoS possible!) |
- | 11 | - Get rid of phpsvn completely! So, 901_vnag and 900_softwareupdate need to get log files from an XML file located at viathinksoft.com |
|
11 | - SVN: XML and JS files are sometimes marked as binary, because they have the mime type "application". We need to undo that! |
12 | This also solves the problem that a revision is detected before the update+checksum files have been created! |
- | 13 | svn log https://svn.viathinksoft.com/svn/oidplus/trunk --xml |
|
- | 14 | ||
12 | 15 | ||
13 | SECURITY Improvements: |
16 | SECURITY Improvements: |
14 | - Small security issue: A visitor can check which plugins are installed by either entering a "goto" command (e.g. "oidplus:vnag_version_check") |
17 | - Small security issue: A visitor can check which plugins are installed by either entering a "goto" command (e.g. "oidplus:vnag_version_check") |
15 | and see which error message appears, or they could try to enter "plugin/adminPages/..." using the web browser and see if the result is HTTP 200 or HTTP 404. |
18 | and see which error message appears, or they could try to enter "plugin/adminPages/..." using the web browser and see if the result is HTTP 200 or HTTP 404. |
16 | 19 |