cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Morrison" <john.r.morri...@ntlworld.com>
Subject RE: [RT] Cocoon Blocks
Date Fri, 05 Jul 2002 08:29:12 GMT
> From: Piroumian Konstantin [mailto:KPiroumian@protek.com]
> > From: John Morrison [mailto:john.r.morrison@ntlworld.com] 
> > > > From: J.Pietschmann [mailto:j3322ptm@yahoo.de] 
> > > > Piroumian Konstantin wrote:
> > > > > If your sitemap is somewhere in WEB-INF then having 
> > > > sitemap.xml would be
> > > > > obvious, but if you have sitemap in the same directory 
> > > > where your content
> > > > > files are located then one could view your sitemap by 
> > simply typing
> > > > > 'sitemap.xml' in request path. To prevent this you would 
> > > > have to setup a
> > > > > special pipeline in your sitemap or use resource 
> > > > constraints in web.xml.
> > > > 
> > > > Does using "sitemap.xmap" prevent illegal access?
> > > 
> > > Since you do not provide a pipeline for anything that matches 
> > > "sitemap.xmap"
> > > then your sitemap won't be exposed, isn't it? But if you 
> > have a pipeline
> > > with a matcher "*.xml" then having "sitemap.xml" in the same 
> > > directory will
> > > allow to view your sitemap file. I'd not like to show my 
> > > production sitemaps
> > > to users.
> > 
> > That's assuming that you keep xml in the "root" of your web
> > app along with your sitemap.  The examples which come with
> > Cocoon are clearly seperated and I've never seen anyone who
> > does keep their production xml in the root either.  Of cause
> > there's risk, if you make a mistake in the sitemap you can
> > expose anything - even files in WEB-INF (just because the
> > servlet blocks http://xxx/<webapp>/WEB-INF/ doesn't
> > mean you can't do
>
> But what about the sub-sitemaps?
>

<contrived_example snip="true"/> 
> 
> This can be done only intentionally (or by a newbie). A more realistic
> example can be:
> 
> <map:match pattern="**.xml">
>   <map:generate src="{1}.xml"/>
> </map:match>

True, much more realistic.

> And you can accidentally mount your sub-sitemaps after this matcher and
> that's it: users type 'subdir/sitemap.xml' and see your sitemap.
> 
> > Security isn't something you do once - it's a way of life (a
> > quote I think but I don't know who from).
> 
> Agree. 
> Having 'xmap' extension for the sitemap only lowers the probability of
> viewing it by the user, but, of course, it won't make your website
> absolutely secure.

Agreed, but I don't think it's something we should force on people (putting
it in WEB-INF).

The other possiblity would be for Cocoon to realise what it's sending
is a sitemap (or sub map) and throw a 404 unless, for example, the
match was marked in some way to _allow_ cocoon control files...

J.

---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message