[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#625865: ITP: ocportal -- ocPortal is a Content Management System for building and maintaining a dynamic website

On Fri, 06 May 2011, Chris Warburton wrote:
> Hi Scott. ocPortal isn't massively widespread compared to other systems,
> so there's obviously less experimental proof of security. We had a
> security hole a few years ago; this was before I got involved, but
> there's details here http://en.wikipedia.org/wiki/OcPortal#Criticisms
> Official ocPortal releases are managed by ocProducts, a company set up
> around ocPortal (and who pay my salary), and we have a clear security
> policy which can be found here
> http://ocportal.com/site/maintenance.htm .
> We also regularly run static code analysis tools on the codebase and we
> test every release with a hacked PHP runtime that 1) triggers errors if
> strings are not explicitly sanitised before going through eval, getting
> echoed to a browser or being entered into a database, and 2) enforces a
> type system on variables and function calls (based on type signatures
> written into the PHPdoc of every function), and raises an error if there
> is a type mismatch. I actually run this hacked PHP on my system in place
> of the distro's own.
> If there are specific security concerns I'd be happy to address them.

This is a better security policy than most PHP packages we have in the

That alone is grounds enough to allow ocportal in IMO.

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: