cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Piroumian Konstantin <KPiroum...@protek.com>
Subject RE: [RT] Cocoon Blocks
Date Fri, 05 Jul 2002 08:18:35 GMT
> From: John Morrison [mailto:john.r.morrison@ntlworld.com] 
> > > From: J.Pietschmann [mailto:j3322ptm@yahoo.de] 
> > > Piroumian Konstantin wrote:
> > > > If your sitemap is somewhere in WEB-INF then having 
> > > sitemap.xml would be
> > > > obvious, but if you have sitemap in the same directory 
> > > where your content
> > > > files are located then one could view your sitemap by 
> simply typing
> > > > 'sitemap.xml' in request path. To prevent this you would 
> > > have to setup a
> > > > special pipeline in your sitemap or use resource 
> > > constraints in web.xml.
> > > 
> > > Does using "sitemap.xmap" prevent illegal access?
> > 
> > Since you do not provide a pipeline for anything that matches 
> > "sitemap.xmap"
> > then your sitemap won't be exposed, isn't it? But if you 
> have a pipeline
> > with a matcher "*.xml" then having "sitemap.xml" in the same 
> > directory will
> > allow to view your sitemap file. I'd not like to show my 
> > production sitemaps
> > to users.
> 
> That's assuming that you keep xml in the "root" of your web
> app along with your sitemap.  The examples which come with
> Cocoon are clearly seperated and I've never seen anyone who
> does keep their production xml in the root either.  Of cause
> there's risk, if you make a mistake in the sitemap you can
> expose anything - even files in WEB-INF (just because the
> servlet blocks http://xxx/<webapp>/WEB-INF/ doesn't
> mean you can't do
> 

But what about the sub-sitemaps?

> <map:match pattern="WEB/**">
>  <map:read src="WEB-INF/{1}"/>
> </map:match>
> 
> which will expose your web-inf dir nicely :(.

This can be done only intentionally (or by a newbie). A more realistic
example can be:

<map:match pattern="**.xml">
  <map:generate src="{1}.xml"/>
</map:match>

And you can accidentally mount your sub-sitemaps after this matcher and
that's it: users type 'subdir/sitemap.xml' and see your sitemap.

> 
> Security isn't something you do once - it's a way of life (a
> quote I think but I don't know who from).

Agree. 
Having 'xmap' extension for the sitemap only lowers the probability of
viewing it by the user, but, of course, it won't make your website
absolutely secure.

Konstantin

> 
> J.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
> For additional commands, email: cocoon-dev-help@xml.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message