shacker Posted November 28, 2014 Share Posted November 28, 2014 (edited) Ok, just uploaded a updated version of my module, and now says that i cant put my email on the documentation. Funny thing, i use my email in doc for ages in prestastore and never have a problem. And is a hotmail address, so no direct mail to my site. And later the module was declined becouse security issues, and i run the prestashop validator and the module have no security issues. Whats wrong guys? The module is the countdown Specials Edited December 2, 2014 by shacker (see edit history) Link to comment Share on other sites More sharing options...
shacker Posted November 28, 2014 Author Share Posted November 28, 2014 now i read that have new rules. where i can see it? Link to comment Share on other sites More sharing options...
samyha Posted November 28, 2014 Share Posted November 28, 2014 Hi shacker, Have you tried to contact the Addons team about the issue directly from the contributor's form on the website? The contributor's terms and conditions has, indeed, changed. You can find them here: http://bit.ly/1ykPnrY.Have a nice day! Link to comment Share on other sites More sharing options...
safa Posted November 28, 2014 Share Posted November 28, 2014 now i read that have new rules. where i can see it? hi shacker ; please share reason with us . reason will be help us . Link to comment Share on other sites More sharing options...
shacker Posted November 28, 2014 Author Share Posted November 28, 2014 Ok, just read and found this: Redirection of Client's correspondence relating to Addons to a messaging service other than that of PrestaShop Addons. So its new for me, becouse i always use a hotmail mail to support, becouse prestastore support sometimes is slow for communication. The security issues now is something like this: Hello, We notice some security iossues with your SQL queries. Please protect fields with cast or pSQL() in all your queries. For example : public function getdomain($shop) { $result = Db::getInstance()->ExecuteS(' SELECT * FROM `'._DB_PREFIX_.'shop_url` WHERE `id_shop` = '.$shop.' LIMIT 1'); return ($result); } public function getPages($pety) But validator dont show any error or warning. So i think is a new request Link to comment Share on other sites More sharing options...
bellini13 Posted November 29, 2014 Share Posted November 29, 2014 If the terms were updated, why are we as contributors not notified about the changes and have to re-accept them? I may have agreed to the original terms, but if PS changes those terms it does not automatically mean that I accept them... 1 Link to comment Share on other sites More sharing options...
Emmanuel M. Posted December 1, 2014 Share Posted December 1, 2014 Hi everyone, The terms are the same since this summer. Regarding security, the validator can't show you missing casts, it's too risky to have "false alerts". This is why we check manually every modules. Emmanuel Link to comment Share on other sites More sharing options...
shacker Posted December 1, 2014 Author Share Posted December 1, 2014 Hi everyone, The terms are the same since this summer. Regarding security, the validator can't show you missing casts, it's too risky to have "false alerts". This is why we check manually every modules. Emmanuel Ok, i get a meila that the variables in queries must be cast, im right? or need to be all variables?? Link to comment Share on other sites More sharing options...
Emmanuel M. Posted December 1, 2014 Share Posted December 1, 2014 All variables in requests Link to comment Share on other sites More sharing options...
bellini13 Posted December 1, 2014 Share Posted December 1, 2014 All variables in requests Emmanuel, could you explain what this means? I thought the discussion was about casting/protecting variables used in SQL statements? What is the scope of "All variables in requests"? Also, to Shacker's originally question, if the module is being manually scanned for 'security issues', if the module is declined shouldn't the decline email provide the exact reasons for the failure? As to avoid additional emails and delays for getting the updated module listed? Lastly, I'd like to request that the Validator page include what these manual checks are. I shouldn't have to guess as to what the latest standards that PS uses during its validation. Keeping the validator page up to date with your manual checks will help with consistency across both the module developers and the person performing this manual validation. Link to comment Share on other sites More sharing options...
shacker Posted December 1, 2014 Author Share Posted December 1, 2014 Emmanuel, could you explain what this means? I thought the discussion was about casting/protecting variables used in SQL statements? What is the scope of "All variables in requests"? Also, to Shacker's originally question, if the module is being manually scanned for 'security issues', if the module is declined shouldn't the decline email provide the exact reasons for the failure? As to avoid additional emails and delays for getting the updated module listed? Lastly, I'd like to request that the Validator page include what these manual checks are. I shouldn't have to guess as to what the latest standards that PS uses during its validation. Keeping the validator page up to date with your manual checks will help with consistency across both the module developers and the person performing this manual validation. Agree that the news requests must be available in some place, so we dont get rejections when new requests comes. Like a popup with new rules into the validator or something else Link to comment Share on other sites More sharing options...
Emmanuel M. Posted December 2, 2014 Share Posted December 2, 2014 @Bellini13 : We are saying the same things, all variables used in SQL requests must be casted. We are telling exactly the reason in our decline message. Security issues the basis and don't need to be specified anywhere. Regarding new rules, it is included in the validator or in our terms, so you will be aware, one way or another. Emmanuel 1 Link to comment Share on other sites More sharing options...
bellini13 Posted December 2, 2014 Share Posted December 2, 2014 Hi Emmanuel, thanks for your feedback, however I believe your response and Shacker's original post conflict. Shacker can correct me where I am wrong, but when I read his statement (quoted below), it sounds like it was declined for 'security issues', without being instructed on what security issues there are. And later the module was declined becouse security issues, and i run the prestashop validator and the module have no security issues. Whats wrong guys? The module is the countdown Specials Regarding being in the validator or 'in our terms', if the terms have not been updated since July, where are these 'security issues' documented? Regarding new rules, it is included in the validator or in our terms, so you will be aware, one way or another. Link to comment Share on other sites More sharing options...
shacker Posted December 2, 2014 Author Share Posted December 2, 2014 Hi Emmanuel, thanks for your feedback, however I believe your response and Shacker's original post conflict. Shacker can correct me where I am wrong, but when I read his statement (quoted below), it sounds like it was declined for 'security issues', without being instructed on what security issues there are. Regarding being in the validator or 'in our terms', if the terms have not been updated since July, where are these 'security issues' documented? The first rejection was for email, ans security (but no say what security), i get response later. but i think add the check of cast in sql queries in validator is a good add on Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now