0001855: How to deal with PHP apps which can be updated via the web interface by the admin user?

ClearFoundation Tracker - ClearOS
View Issue Details

ID	Project	Category	View Status	Date Submitted	Last Update
0001855	ClearOS	app-webapp - Web App Engine	public	2014-07-13 17:03	2020-09-03 04:25

Reporter	marclaporte
Assigned To
Priority	low	Severity	feature	Reproducibility	N/A
Status	closed	Resolution	suspended
Platform		OS		OS Version
Product Version
Target Version		Fixed in Version

Summary	0001855: How to deal with PHP apps which can be updated via the web interface by the admin user?
Description	Some web apps like WordPress, Joomla! and Piwik can be updated by the site admin via the web interface. In the case of WordPress and Joomla!, you can also update extensions via the web interface (I don't know about Piwik). For this to work: * In some cases, the PHP user must be able to write files. * In other cases, the user enters the FTP password and PHP uses this to write to itself. These 2 cases have security implications. A counter example is Tiki. Tiki does not attempt to update itself via the web interface and relies on an external process (FTP or SVN), a 1-click installer (like what we have in ClearOS) or TIM (Tiki Instance Manager, a command line tool). ClearOS will eventually handle upgrades. One thing to think about is what happens if ClearOS does the install, but then, the application is updated on its own. How to avoid issues? How to deal with the diversity? Thanks!
Steps To Reproduce
Additional Information
Tags	No tags attached.
Relationships
Attached Files

Issue History
Date Modified	Username	Field	Change
2014-07-13 17:03	marclaporte	New Issue
2014-07-14 08:45	user2	Status	new => acknowledged
2014-07-14 08:56	user2	Note Added: 0001234
2020-09-03 04:25	NickH	Note Added: 0014591
2020-09-03 04:25	NickH	Status	acknowledged => closed
2020-09-03 04:25	NickH	Resolution	open => suspended

Notes