Hi all,
Andy Gelme wrote me a mail to point out a security hole in Daisy. The
'include' one can do in documents allows one to retrieve content from
any URL which can be resolved by the Cocoon source resolver. This
includes standard URL schemes such as "http:" and "file:" or
Cocoon-specific ones such as "cocoon:".
The problem is quite obvious: this allows for example to retrieve the
content from any well-formed XML file on the file system of the server
on which Daisy is running (if there are no other provisions in place).
The other protocols also have problems: the http URLs are resolved
behind the firewall (if any), and the cocoon: URLs allow to call
internal Cocoon pipelines (in a default Daisy install probably not a
problem).
Of course, this will only work:
* for persons that have edit access on the Daisy Wiki
* for well formed XML files
* and it requires knowledge of the server setup (or luck)
An immediate fix is to disable the processing of includes. This can be
done quite simply: just open the following file in a text editor:
daisy/daisywiki/webapp/daisy/sitemap.xmap
and search for the following line:
<map:transform type="DaisyExternalInclude"/>
and comment it out, which is done as follows:
<!-- map:transform type="DaisyExternalInclude"/ -->
This problem affects all Daisy releases. A patched release with a
permanent solution will be provided as soon as possible, see below.
- o -
Now we need to look for a more permanent solution. The idea I have for
now is:
* for each URL scheme, allow to enable or disable it (default: all
disabled)
* for each enabled URL scheme, allow to specify either:
1/ that by default all URLs are disallowed,
except a list of allowed ones
OR
2/ that by default all URLs are allowed,
except a list of disallowed ones
For files, the first option is probably the easiest, while for http URLs
the second one might be preferable.
Comments?
--
Bruno Dumon http://outerthought.org/
Outerthought - Open Source, Java & XML Competence Support Center
bruno at outerthought.org bruno at apache.org