From db746519ebca6495342d836a77c0664977ee0d99 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 1 Dec 2009 16:04:18 -0500 Subject: security and comments --- doc/plugins/contrib/xslt/discussion.mdwn | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 doc/plugins/contrib/xslt/discussion.mdwn (limited to 'doc/plugins/contrib/xslt/discussion.mdwn') diff --git a/doc/plugins/contrib/xslt/discussion.mdwn b/doc/plugins/contrib/xslt/discussion.mdwn new file mode 100644 index 000000000..a549681de --- /dev/null +++ b/doc/plugins/contrib/xslt/discussion.mdwn @@ -0,0 +1,16 @@ +## security + +I'm curious what the security implications of having this plugin on a +publically writable wiki are. + +First, it looks like the way it looks up the stylesheet file will happily +use a regular .mdwn wiki page as the stylsheet. Which means any user can +create a stylesheet and have it be used, without needing permission to +upload arbitrary files. That probably needs to be fixed; one way would be +to mandate that the `srcfile` has a `.xsl` extension. + +Secondly, if an attacker is able to upload a stylesheet file somehow, could +this be used to attack the server where it is built? I know that xslt is +really a full programming language, so I assume at least DOS attacks are +possible. Can it also read other arbitrary files, run other programs, etc? +--[[Joey]] -- cgit v1.2.3 From 3ca05b15d6c47446e89128b405b9ffce8a418a3c Mon Sep 17 00:00:00 2001 From: "http://kerravonsen.dreamwidth.org/" Date: Tue, 1 Dec 2009 18:30:25 -0500 Subject: reply to comment --- doc/plugins/contrib/xslt/discussion.mdwn | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'doc/plugins/contrib/xslt/discussion.mdwn') diff --git a/doc/plugins/contrib/xslt/discussion.mdwn b/doc/plugins/contrib/xslt/discussion.mdwn index a549681de..3288150a4 100644 --- a/doc/plugins/contrib/xslt/discussion.mdwn +++ b/doc/plugins/contrib/xslt/discussion.mdwn @@ -14,3 +14,9 @@ this be used to attack the server where it is built? I know that xslt is really a full programming language, so I assume at least DOS attacks are possible. Can it also read other arbitrary files, run other programs, etc? --[[Joey]] + +> For the first point, agreed. It should probably check that the data file has a `.xml` extension also. Will fix soon. + +> For the second point, I think the main concern would be resource usage. XSLT is a pretty limited language; it can read other XML files, but it can't run other programs so far as I know. + +> -- [[KathrynAndersen]] -- cgit v1.2.3 From 18840f67e991e48e1c78bf848ce3dd50a649569b Mon Sep 17 00:00:00 2001 From: "http://kerravonsen.dreamwidth.org/" Date: Tue, 1 Dec 2009 18:51:48 -0500 Subject: now have fixed xslt plugin --- doc/plugins/contrib/xslt/discussion.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/plugins/contrib/xslt/discussion.mdwn') diff --git a/doc/plugins/contrib/xslt/discussion.mdwn b/doc/plugins/contrib/xslt/discussion.mdwn index 3288150a4..9cda02f88 100644 --- a/doc/plugins/contrib/xslt/discussion.mdwn +++ b/doc/plugins/contrib/xslt/discussion.mdwn @@ -15,7 +15,7 @@ really a full programming language, so I assume at least DOS attacks are possible. Can it also read other arbitrary files, run other programs, etc? --[[Joey]] -> For the first point, agreed. It should probably check that the data file has a `.xml` extension also. Will fix soon. +> For the first point, agreed. It should probably check that the data file has a `.xml` extension also. Have now fixed. > For the second point, I think the main concern would be resource usage. XSLT is a pretty limited language; it can read other XML files, but it can't run other programs so far as I know. -- cgit v1.2.3 From ba05b907e3563f9aa25a4322abd9ab2d5b56b36b Mon Sep 17 00:00:00 2001 From: "http://oneingray.myopenid.com/" Date: Sun, 28 Mar 2010 15:58:37 +0000 Subject: More wishlist items for the `xslt` plugin. --- doc/plugins/contrib/xslt/discussion.mdwn | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'doc/plugins/contrib/xslt/discussion.mdwn') diff --git a/doc/plugins/contrib/xslt/discussion.mdwn b/doc/plugins/contrib/xslt/discussion.mdwn index 9cda02f88..72cce083c 100644 --- a/doc/plugins/contrib/xslt/discussion.mdwn +++ b/doc/plugins/contrib/xslt/discussion.mdwn @@ -20,3 +20,30 @@ possible. Can it also read other arbitrary files, run other programs, etc? > For the second point, I think the main concern would be resource usage. XSLT is a pretty limited language; it can read other XML files, but it can't run other programs so far as I know. > -- [[KathrynAndersen]] + +>> XSLT is, indeed, a Turing-complete programming language. + However, [XML::LibXSLT][] provides a set of functions to help + to minimize the damage that may be caused by running a random + program. + +>> In particular, `max_depth ()` allows for the maximum + recursion depth to be set, while + `read_file ()`, `write_file ()`, `create_dir ()`, + `read_net ()` and `write_net ()` + are the callbacks that allow any of the possible file + operations to be denied. + +>> To be honest, I'd prefer for the `read_file ()` callback to + only grant access to the files below the Ikiwiki source + directory, and for all the `write_`… and + …`_net` callbacks to deny the access unconditionally. + +>> One more wishlist item: allow the set of locations to take + `.xsl` files from to be preconfigured, so that, e. g., + one could allow (preasumably trusted) system stylesheets, + while disallowing any stylesheets that are placed on the Wiki + itself. + +>> — Ivan Shmakov, 2010-03-28Z. + +[XML::LibXSLT]: http://search.cpan.org/~PAJAS/XML-LibXSLT/LibXSLT.pm -- cgit v1.2.3