In the latest development version of commons, we get an alert at admin/reports/status that:
"Your getID3 library is insecure! The demos distributed with getID3 contains code which creates a huge security hole. Remove the demos directory (......profiles/drupal_commons/libraries/getid3/demos) from beneath Drupal's directory.""
One question is how to package with Drush make and not include this demos directory. I don't think Drush make can *remove* a downloaded directory from within a library and I don't think that getID3 is distributed without that directory. Hosting our own copy on GitHub seems like an easy, if awkward option.
It also seems like its time to update to getID3 1.9.
Comment | File | Size | Author |
---|---|---|---|
#11 | 1336886-11.patch | 313.6 KB | jhedstrom |
#10 | getid3_rm_demos-1336886-10.patch | 312.76 KB | Anonymous (not verified) |
#9 | getid3-remove-demos-1.9.5.patch | 312.1 KB | Anonymous (not verified) |
#8 | getid3-remove-demos-1.9.3.patch | 301.9 KB | janusman |
#4 | getid3-remove-demos-1.9.1.patch | 300.95 KB | ezra-g |
Comments
Comment #1
ezra-g CreditAttribution: ezra-g commentedActually, looks like getID3 is GPL 2. Maybe this means we can include it in the Commons repo?
Comment #2
ezra-g CreditAttribution: ezra-g commentedNope.
Comment #3
ezra-g CreditAttribution: ezra-g commentedAttached is a patch that removes this unwanted directory.
The 1336886-remove-id3-demos-dir branch of Commons modifies drupal_commons.make to use this patch when building Commons.
Comment #4
ezra-g CreditAttribution: ezra-g commentedHere's an updated patch for getid3 1.9.1
Comment #5
laurentc CreditAttribution: laurentc commentedCool. The patch is good.
Comment #6
ezra-g CreditAttribution: ezra-g commentedThanks for the review. This is committed: http://drupalcode.org/project/commons.git/commitdiff/9c948d3?hp=6c4893e2... .
Comment #8
janusman CreditAttribution: janusman commentedJust for reference, adding this patch that removes the demos directory from a newer version of getid3 (1.9.3)
Comment #9
Anonymous (not verified) CreditAttribution: Anonymous commentedHere is a patch for getid3 1.9.5.
Comment #10
Anonymous (not verified) CreditAttribution: Anonymous commentedHere is a patch to remove demos in 1.9.7.
Comment #11
jhedstromThis patch is actually used in a drush make test, so I needed to reroll it for 1.9.8. Sorry for the noise.