cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Morrison" <john.r.morri...@ntlworld.com>
Subject RE: [RT] Cocoon Blocks
Date Fri, 05 Jul 2002 07:58:54 GMT
> 
> > From: J.Pietschmann [mailto:j3322ptm@yahoo.de] 
> > Piroumian Konstantin wrote:
> > > If your sitemap is somewhere in WEB-INF then having 
> > sitemap.xml would be
> > > obvious, but if you have sitemap in the same directory 
> > where your content
> > > files are located then one could view your sitemap by simply typing
> > > 'sitemap.xml' in request path. To prevent this you would 
> > have to setup a
> > > special pipeline in your sitemap or use resource 
> > constraints in web.xml.
> > 
> > Does using "sitemap.xmap" prevent illegal access?
> 
> Since you do not provide a pipeline for anything that matches 
> "sitemap.xmap"
> then your sitemap won't be exposed, isn't it? But if you have a pipeline
> with a matcher "*.xml" then having "sitemap.xml" in the same 
> directory will
> allow to view your sitemap file. I'd not like to show my 
> production sitemaps
> to users.

That's assuming that you keep xml in the "root" of your web
app along with your sitemap.  The examples which come with
Cocoon are clearly seperated and I've never seen anyone who
does keep their production xml in the root either.  Of cause
there's risk, if you make a mistake in the sitemap you can
expose anything - even files in WEB-INF (just because the
servlet blocks http://xxx/<webapp>/WEB-INF/ doesn't
mean you can't do

<map:match pattern="WEB/**">
 <map:read src="WEB-INF/{1}"/>
</map:match>

which will expose your web-inf dir nicely :(.

Security isn't something you do once - it's a way of life (a
quote I think but I don't know who from).

J.

---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message