Fixed invalid CSS, bumped stylus #712
Conversation
"highlight-color += 10%" in context-menu.styl produces an invalid color entry in CSS
As described in Automattic#713 - Automattic#713 node generates main.css out of the styles files on demand. This might be convenient for many scenarios, but this is a big security issue because node must have write access to its own code directory -- thus some bug might allow attacker to overwrite ones own code. IMO, Kue should include main.css in the repository, so that a locked-down server without write access wouldn't break it.
|
@behrad, adding the main.css to the distribution solves the problem for the secure servers - in our case, Wikimedia servers are well secured, and their settings do not allow on-the-fly code modification - that's why I noticed this issue. In general case, I don't think stylus should generate code dynamically at all - its not a good practice to rely on it - code should stay static. As for injection - its impossible to "fix it" via the code here, it can only be solved by doing what we already did - by setting proper file permissions on the production server. This way if someone discovers a bug in our code and uses it to try to write a local file, they will fail because of the file permissions. |
|
P.S. I do notice that once in a while the style does not load even though it is there, and I have to refresh. I don't know what's causing it, might be some other stale cache issue. |
|
Kue is updated, and there are conflicts :) |
"highlight-color += 10%" in context-menu.styl produces
an invalid color entry in CSS