cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefano Mazzocchi <stef...@apache.org>
Subject Re: [C2] (hopefully) last sitemap major changes
Date Fri, 07 Jul 2000 10:40:22 GMT
Jonathan Stimmel wrote:
> 
> On Thu, Jul 06, 2000 at 12:09:42AM +0200, Stefano Mazzocchi wrote:
> 
> > Sorry, I don't understand where the security hole is. Can you elaborate
> > more on this?
> 
> Well, here are two chunks from the sitemap:
> 
>    <map:match pattern="dist/*">
>     <map:mount src="./dist/{1}"/>
>    </map:match>
> 
>    ...
> 
>    <map:match pattern="cocoon/dist/*">
>     <map:choose type="ip-filter">
>      <map:when test="allowsAddress()">
>       <map:redirect-to uri="dist/cocoon/{1}"/>
>      </map:when>
>      ...
>     </map:choose>
>    </map:match>
> 
> If I type "cocoon/dist/whatever", cocoon checks my address and then
> processes the request as if I had typed "dist/cocoon/whatever". However,
> there's nothing to prevent me from just typing "dist/cocoon/whatever",
> completely circumventing the authorisation test.

Oh, you are talking about the example, not the sitemap notion behind it.
I understand now.
 
> This isn't really something that can be "fixed", as it's a security
> hole due to poor configuration.

Right, you still have to _build_ your sitemap... we'll find out good or
bad "design patterns" after a while, for sure, not before users start
using it.

> It makes me wonder if the sitemap
> really should have a <redirect-to uri=""/> or whether that role
> should be left to the web server. Thinking about it some more, you
> can still have the same problem redirecting to resources:
> 
>    <map:match pattern="path/*">
>     <map:redirect-to resource="sensitive"/>
>    </map:match>
> 
>    <map:match pattern="path/*">
>     <map:choose type="ip-filter">
>      <map:when test="allowsAddress()">
>       <map:redirect-to resource="sensitive"/>
>      </map:when>
>      ...
>     </map:choose>
>    </map:match>

> Resources are a Good Thing(tm), so we can't eliminate them, which
> means we need <redirect-to>. The only other options I see are
> (a) allow resources to include <map:choose> tags (I'm not sure
> if this is currently the case)

Sure, a resource is just another part of the pipe that you happen to use
often.

> or (b) make certain this case is
> documented (which I think it should be either way).

I agree.... well, redirection is possibly a problem but I guess all
sys-admin know this.

-- 
Stefano Mazzocchi      One must still have chaos in oneself to be
                          able to give birth to a dancing star.
<stefano@apache.org>                             Friedrich Nietzsche
--------------------------------------------------------------------
 Missed us in Orlando? Make it up with ApacheCON Europe in London!
------------------------- http://ApacheCon.Com ---------------------



Mime
View raw message