incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Thompson <josh_thomp...@ncsu.edu>
Subject Re: [RESULT][VOTE] release Apache VCL 2.1
Date Thu, 03 Dec 2009 18:09:34 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The following votes were given:

+1 Alan Cabrera (transferred from vote on vcl-dev@i.a.o list)
+1 Kevan Miller (transferred from vote on vcl-dev@i.a.o list)
+1 Niall Pemberton
+1 Ant Elder

Leo Simons made some notable comments:

> 3) There is no website yet? You really have to do a basic homepage
> over at http://incubator.apache.org/vcl/, for example so that you can
> point people at mirrors (see http://www.apache.org/dev/#mirror about
> the mirroring system).

Our plan is to copy the autoexport from our VCLDOCS confluence space as the 
content for our official web space.  VCLDOCS was created recently, and we 
haven't started migrating our content there yet.  For now, I've used a 
slightly modified version of the index page from our VCL confluence space to 
be a placeholder at the URL you've listed.  Once we get the release out, I'll 
change the link for "VCL 2.1 Information" under Project Resources to not have 
the "(unreleased)" part.

> 4) Since this is PHP code I did a cursory code review for SQL
> injection / XSS / etc. It seems like that's had some attention, but at
> a glance maybe its not quite perfect? For example checkAccess() in
> utils.php:
>
>                 $xmlpass = $_SERVER['HTTP_X_PASS'];
>                 if(get_magic_quotes_gpc())
>                         $xmlpass = stripslashes($xmlpass);
>
> where $xmlpass is used moments later to execute SQL:
>
>                         $query = "SELECT x.id "
>                                . "FROM xmlrpcKey x, "
>                                .      "user u "
>                                . "WHERE x.ownerid = u.id AND "
>                                .       "u.unityid = '$xmluser' AND "
>                                .       "x.key = '$xmlpass' AND "
>                                .       "x.active = 1";
> 
> Another piece of suspect code would be in submitLogin() in
> authentication.php which does not appear to validate the
> $_POST['password']. I'm by no means a PHP expert so I might be making
> a fool of myself here, but better safe than sorry. So, can you explain
> (preferably on, err, your website) what measures are in place to guard
> against things like SQL injection and XSS?

Wow - thanks for pouring over the code that carefully!  I am the author of the 
php part of the code.  Some time ago (before we even migrated to ASF), I went 
over everything to protect against SQL injection and XSS attacks.  However, 
more recently, I discovered that the measures in place for protection messed 
up passwords with special characters in them in the places you've pointed out 
above.  I made changes to allow the passwords to work.  I've created a JIRA 
issue (VCL-274) to look in to making those parts secure again.

We have several sites using VCL already from SVN.  Given that and the fact 
that we did get enough votes to pass, I'm going to go ahead and get this 
release out so those sites can have something official, and then address the 
SQL injection/XSS hardening in Apache VCL 2.2.

Thanks,
Josh Thompson
Apache VCL release manager
- -- 
- -------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University

Josh_Thompson@ncsu.edu
919-515-5323

my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFLF/7nV/LQcNdtPQMRAmn+AJ0XSR7T1TTGQlOgAxq+qYjHa5EduwCfZMtj
OiA35oS97b/Bc7U//YC7WUE=
=9aw2
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message