Hey hey, On Wed, Nov 18, 2009 at 8:42 PM, Josh Thompson <josh_thomp...@ncsu.edu> wrote: > The Apache VCL community voted on and approved a proposal to release Apache > VCL 2.1. We would like to request the endorsement of the Incubator PMC to > publish this release. > > The release artifact, sums, and GPG signature can be found here: > http://people.apache.org/~jfthomps/apache-VCL-2.1-RC2-incubating/
1) Basic package looks good to me, though I didn't try to install or run it. I checked RAT and checksums and read the various instructions. 2) The licensing situation looks 'interesting' - you have a few GPLed dependencies like MySQL and mcrypt and Nmap without which I imagine the product doesn't work. I would like to see VCL run on a non-GPL database and be ensured that it can function without other viral-licensed components as hard dependencies, some time before graduation (I think its ok to release, as long as some kind of plan is in place). 3) There is no website yet? You really have to do a basic homepage over at http://incubator.apache.org/vcl/, for example so that you can point people at mirrors (see http://www.apache.org/dev/#mirror about the mirroring system). 4) Since this is PHP code I did a cursory code review for SQL injection / XSS / etc. It seems like that's had some attention, but at a glance maybe its not quite perfect? For example checkAccess() in utils.php: $xmlpass = $_SERVER['HTTP_X_PASS']; if(get_magic_quotes_gpc()) $xmlpass = stripslashes($xmlpass); where $xmlpass is used moments later to execute SQL: $query = "SELECT x.id " . "FROM xmlrpcKey x, " . "user u " . "WHERE x.ownerid = u.id AND " . "u.unityid = '$xmluser' AND " . "x.key = '$xmlpass' AND " . "x.active = 1"; Another piece of suspect code would be in submitLogin() in authentication.php which does not appear to validate the $_POST['password']. I'm by no means a PHP expert so I might be making a fool of myself here, but better safe than sorry. So, can you explain (preferably on, err, your website) what measures are in place to guard against things like SQL injection and XSS? thanks, Leo --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
