Software Security/Group 9/Wanted Documentation

Uit Werkplaats
Ga naar: navigatie, zoeken

Documentation about phpBB we would have wanted

  • The architecture of phpBB. This will really be helpful when doing code review. In particular, we will be interested in having:
    • The list of all php files, with indication whether or not they are supposed to be accessed directly via browser (we refer these as entry-points), or just included from other php files;
    • For each entry-point, an indication of their security level (e.g. this should only be accessible by logged-in user, moderator, admin, etc.) As this information is not present, for our code review, we had to make assumptions of the intended security levels. While we, of course, tried to make reasonable assumptions, the phpBB developer might have different views.
    • The information flow graphs: what data are sent and to which particular php files.
    • Include graphs: phpBB has several common codes kept in separate files and "include"-d by php files that need them. It would be helpful to have the graph of what are included by a particular page.
    • A graph showing how pages are linked to each other under different roles might be useful.
In our code review process, we had to spend some time to figure out all things above by ourselves.
  • "Run-time documentations"
phpBB does not include a very helpful in-app documentation. For example, when installing phpBB2, if there are any problems, the installer just fails silently, with no indication of what went wrong and what to do. Some of our group members were having problem in installing phpBB due to this.
Even basic informative error messages would be useful. Some people unnecessarily spent a lot of time wondering why their installations didn't work.
  • Updated documentations
This might be irrelevant as we are working with phpBB2 that is no longer maintained. Consequently, the documentations provided are seriously outdated and do not reflect current situation. For example, the requirement document states that phpBB requires MySQL 3.22 or later. However, as there are significant changes introduced in MySQL 5, phpBB won't work out-of-the-box with MySQL 5.