Closed skenow closed 1 year ago
I think this warning doesn't matter anymore because at the start of css_optimizer.php
are such lines:
if (!file_exists(__DIR__ . DIRECTORY_SEPARATOR . ".unlock_css_optimiser")) {
print 'Access Denied. Add a file `.unlock_css_optimiser` to the directory to unlock css_optimiser';
exit;
}
And .unlock_css_optimiser
is not included in icms distribution.
So, if it will only work with the addition of the unlock file, should we remove the css_optimizer file, or remove the warning, or change the test?
I think - just remove the warning. Leaving this file for the future will let us easier to upgrade the library.
I think it would be better to update the test conditions and if the unlock file is present, remind the administrator there is a vulnerability still. This was the only change they made to avoid the vulnerability. There are a lot of unfiltered user inputs still in the file.
Related pull request already merged. So closing.
With the upgrade of CSSTidy, css_optimizer.php has been reintroduced to our core, which generates a warning in the admin control panel. Has the vulnerability been resolved? We need to adjust to remove the warning, or the file.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
No warnings