incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Murray Altheim <murra...@altheim.com>
Subject Re: Security question on SET
Date Mon, 27 Oct 2008 22:08:52 GMT
Janne Jalkanen wrote:
>> Has anyone does this already? Or is there an understanding that there
>> are no security issues here? (I'm thinking of things like permitting
>> HTML parsing for a single page, etc.  -- there might be others more
>> subtle.)
> 
> In short: yes.  Only a subset of properties, deemed safe, are allowed to 
> override the jspwiki.properties.  These aren't unfortunately really 
> documented anywhere. :-/

Janne,

Thanks very much -- I had kinda thought that such an obvious security
hole wouldn't have been able to survive so many versions of the code,
so it's reassuring to know that there is a filter in place.

On the other hand, I've been so far unable to locate in the code where
this takes place. There's the no-no list on what is permitted to be
revealed (via 'get'), and I can find handleMetadata() in the parser
(which seems to expand any variables via the VariableManager's
expandVariables() method and then simply set them for the page, but I
can't find any actual filter or filter list. If you can tell me where
this happens I might be able to this week document it on the
jspwiki.org site.

Cheers,

Murray

...........................................................................
Murray Altheim <murray07 at altheim.com>                           ===  = =
http://www.altheim.com/murray/                                     = =  ===
SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk               = =  = =

       Boundless wind and moon - the eye within eyes,
       Inexhaustible heaven and earth - the light beyond light,
       The willow dark, the flower bright - ten thousand houses,
       Knock at any door - there's one who will respond.
                                       -- The Blue Cliff Record

Mime
View raw message