Quantcast

showing template sources to all

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

showing template sources to all

Anthony Pankov
Hello

Does anybody bother about ability to get unprocessed template files?
Like this:
http://issues.roundup-tracker.org/@@file/issue.index.html

As seems to me it raises a security risk.

I tried to adjust static_files option with directory name but it seems
to change only search order and not to jail all files to that dir.

--
Best regards,
 Anthony  Pankov                        mailto:[hidden email]


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: showing template sources to all

John P. Rouillard

Hi Anthony,

In message <[hidden email]>,
Anthony Pankov writes:
>Does anybody bother about ability to get unprocessed template files?
>Like this:
>http://issues.roundup-tracker.org/@@file/issue.index.html
>
>As seems to me it raises a security risk.
>
>I tried to adjust static_files option with directory name but it seems
>to change only search order and not to jail all files to that dir.

Nice find. It seems obvious that this is how it would work, now that I
think of it.

>From a security perspective, probably 90%+ of the templates are in the
source code that anybody can get. But we don't tell people that these
files are easily viewed and to not put anything in there that is
secret.

That being said, I agree it is somewhat surprising, but the
description for the static files parmeter does state:

 This directory may contain sitewide images, CSS stylesheets etc. and
 is searched for these files prior to the TEMPLATES directory
 specified above.

so there is no "jail" functionality.

If we need to handle this, how should this be handled?

Blocking @@file/*.html and @@file/*.xml is probably safe (we block
home.html as well as class.view.html).  However if people pull in html
fragments (using javascript for example) it could cause issues.

Should we also block:

  @@file/.../*.html and @@file/.../*.xml

since template files can now be placed in subdirectories?

We can scan files that end in .xml or .html for template markup. If
markup is found we can deny the download. But this needs to be
maintained for each templating languages and will be slow and
complex.

Should we have a new config option:

  raw_file_whitelist = /css /js

allow @@file/css/... @@file/js/...

or do we need something more complex like:

  raw_file_acl = -/css/*.html /css /js -*.html

do not allow @@file/css/*.html but do allow all other @@file/css/...
and @@file/js/... and do not allow any other @@file/.../*.html.

Or should the existing:

   static_files =

be enhanced so that it can take multiple directories and a trailing -:

   static_files = html/cgi/ html/javascript/ static/ -

the trailing - stops all other access (so it does not include the
TEMPLATES directory as the ini file states).

Alternatively we just document the issue and don't deal with it.

Comments?
 
--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: showing template sources to all

Ralf Schlatterbeck-3
On Thu, Apr 06, 2017 at 02:20:07PM -0400, John P. Rouillard wrote:
> Blocking @@file/*.html and @@file/*.xml is probably safe (we block
> home.html as well as class.view.html).  However if people pull in html
> fragments (using javascript for example) it could cause issues.
>
> Should we also block:
>
>   @@file/.../*.html and @@file/.../*.xml
>
> since template files can now be placed in subdirectories?

How about putting all the files that are served via the @@file mechanism
into their own subdirectory under html, e.g. html/files?
And add a config option that can configure the directory above which
defaults to empty (and therefore doesn't add a path component)?

That sounds a lot safer than trying to find out which files the user
wants and doesn't want to serve.
The obvious directory traversal vulnerabilities apply (e.g. .. in the
path).

> Or should the existing:
>
>    static_files =
>
> be enhanced so that it can take multiple directories and a trailing -:
>
>    static_files = html/cgi/ html/javascript/ static/ -
>
> the trailing - stops all other access (so it does not include the
> TEMPLATES directory as the ini file states).

Ah we already have a static_files config.
Yes the idea with the '-' looks fine.

Ralf
--
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:   http://www.runtux.com
Reichergasse 131, A-3411 Weidling       email: [hidden email]

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: showing template sources to all

Anthony Pankov
In reply to this post by John P. Rouillard
Hi, John.

> Or should the existing:

>    static_files =

> be enhanced so that it can take multiple directories and a trailing -:

>    static_files = html/cgi/ html/javascript/ static/ -

> the trailing - stops all other access (so it does not include the
> TEMPLATES directory as the ini file states).

I think this is a really beautiful solution for the issue.

--
Best regards,
 Anthony                          mailto:[hidden email]


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: showing template sources to all

John P. Rouillard
Hi Anthony:

In message <[hidden email]>, Anthony Pankov writes:

>> Or should the existing:
>
>>    static_files =
>
>> be enhanced so that it can take multiple directories and a trailing -:
>
>>    static_files = html/cgi/ html/javascript/ static/ -
>
>> the trailing - stops all other access (so it does not include the
>> TEMPLATES directory as the ini file states).
>
>I think this is a really beautiful solution for the issue.

I have checked in 8743b7226dc7 that implements what I described with
one diference. A solo - anywhere in the list stops processing of the
list and raises a NotFound exception.

If you can give it a look and see if it works for you that would be
great.

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-devel
Loading...