CSSTidy - previous system warning for css_optimizer

ImpressCMS / impresscms

A multilingual, extensible, community oriented CMS developed in PHP

https://www.impresscms.org

Other

26 stars 35 forks source link

CSSTidy - previous system warning for css_optimizer #1408

Closed skenow closed 1 year ago

skenow commented 1 year ago

With the upgrade of CSSTidy, css_optimizer.php has been reintroduced to our core, which generates a warning in the admin control panel. Has the vulnerability been resolved? We need to adjust to remove the warning, or the file.

To Reproduce

Steps to reproduce the behavior:

Fresh install of ImpressCMS 1.5 (new 2.0)
Login as an administrator
Go to the administration page
See error

Expected behavior

No warnings

MekDrop commented 1 year ago

I think this warning doesn't matter anymore because at the start of css_optimizer.php are such lines:

if (!file_exists(__DIR__ . DIRECTORY_SEPARATOR . ".unlock_css_optimiser")) {
        print 'Access Denied. Add a file `.unlock_css_optimiser` to the directory to unlock css_optimiser';
        exit;
}

And .unlock_css_optimiser is not included in icms distribution.

skenow commented 1 year ago

So, if it will only work with the addition of the unlock file, should we remove the css_optimizer file, or remove the warning, or change the test?

MekDrop commented 1 year ago

I think - just remove the warning. Leaving this file for the future will let us easier to upgrade the library.

skenow commented 1 year ago

I think it would be better to update the test conditions and if the unlock file is present, remind the administrator there is a vulnerability still. This was the only change they made to avoid the vulnerability. There are a lot of unfiltered user inputs still in the file.

MekDrop commented 1 year ago

Related pull request already merged. So closing.