Forum .LRN Q&A: Remove community-image.vuh

Posted by Andrew Grumet on
I noticed that Sloan deleted this file from our production system: dotlrn/www/community-image.vuh

The comments say the file is for serving customized group logo images, but .LRN isn't using it, favoring packages/file-storage/download/index.vuh instead.

Also, the Sloan CVS logs note a security issue. community-image.vuh doesn't appear to be checking for read permission, nor checking that the passed-in revision_id meets any test of validity e.g. that the requested revision is in fact an image object.

I'd recommend either removing this file from your system if you're confident it isn't being used, or else adding a permission check that looks like this

ad_require_permission $revision_id "read"
just before the call to cr_write_content.

Unless anyone objects I'm going to remove this file from .LRN cvs.