cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Stimmel <jon-li...@stimmel.net>
Subject Re: [C2] (hopefully) last sitemap major changes
Date Wed, 05 Jul 2000 23:07:02 GMT
On Thu, Jul 06, 2000 at 12:09:42AM +0200, Stefano Mazzocchi wrote:

> Sorry, I don't understand where the security hole is. Can you elaborate
> more on this?

Well, here are two chunks from the sitemap:

   <map:match pattern="dist/*">
    <map:mount src="./dist/{1}"/>
   </map:match>

   ...

   <map:match pattern="cocoon/dist/*">
    <map:choose type="ip-filter">
     <map:when test="allowsAddress()">
      <map:redirect-to uri="dist/cocoon/{1}"/>
     </map:when>
     ...
    </map:choose>
   </map:match>

If I type "cocoon/dist/whatever", cocoon checks my address and then
processes the request as if I had typed "dist/cocoon/whatever". However,
there's nothing to prevent me from just typing "dist/cocoon/whatever",
completely circumventing the authorisation test.

This isn't really something that can be "fixed", as it's a security
hole due to poor configuration. It makes me wonder if the sitemap
really should have a <redirect-to uri=""/> or whether that role
should be left to the web server. Thinking about it some more, you
can still have the same problem redirecting to resources:

   <map:match pattern="path/*">
    <map:redirect-to resource="sensitive"/>
   </map:match>

   <map:match pattern="path/*">
    <map:choose type="ip-filter">
     <map:when test="allowsAddress()">
      <map:redirect-to resource="sensitive"/>
     </map:when>
     ...
    </map:choose>
   </map:match>

Resources are a Good Thing(tm), so we can't eliminate them, which
means we need <redirect-to>. The only other options I see are
(a) allow resources to include <map:choose> tags (I'm not sure
if this is currently the case) or (b) make certain this case is
documented (which I think it should be either way).

Mime
View raw message