Item1658: PublishPlugin enables non-privileged users to download exported webs - documentation needs improvement

Description

Previously exported webs are accessible by everyone. Even the download link in the history topic is visible by nobody users. This is a security bug, since read restrictions of topics become ineffective.

There should be an option to restrict access to the exported files. If this is too much work, it should at least be possible for the user to delete the generated files after having downloaded them.

BTW: Is there a recommended way for the admin for keeping the folder, where the exported webs are stored, clean? I guess some cron job... But: in case of large webs, one could think of a DOS attack by just exporting the webs over and over again, leading to a full HDD.

---

The PublishPlugin control panel (accessible to admins) is designed for managing published files. It is linked from the main publishing page.

The publish directory is deliberately left as a simple directory so that web admins can apply the web security appropriate to those directories. It is not the job of the PublishPlugin to dictate Apache access controls; once a web is published, it is no longer under Foswiki control.

Yes, if you allow open access to publishing, a DOS attack is quite possible. But then, why would you do that? The plugin is designed primarily for use by responsible adults working behind a corporate firewall; I would never recommend anyone to make it available in the wild.

-- CrawfordCurrie - 29 May 2009

---

Well, I don't think it is as easy as you say. I agree, that we should at first only regard responsible adults as main users. But: As long as they don't know, that they are creating possible security holes by just exporting a web, they can't act in a responsible way.

To me it is inconsistent to have fine grained permission settings in Foswiki on the one hand and a plugin which will ignore all these settings, after a web has been published. If we only consider responsible adults, we could discard the first as well.

In my eyes, each user should have control over the files he exported. Possible solutions would be:

1. set the webservers file access permissions (probably too messy, I agree)
2. allow setting an encryption password for the created files
3. at least allow the user to delete the files he created

In any way, the user should be informed about the security issue.

-- PhilippLeufke - 31 May 2009

You are right, the documentation should be more explicit. But I need to reinforce the point that the PublishPlugin is an export tool. Once something is exported, it is no longer under the control of Foswiki. I have changed the headline accordingly.

One option we might consider is supporting a publish mode for single file publishing - pdf, zip, tgz - where the output is attached to a target topic. It would thus come under the scope of Foswiki access controls (this is just a suggestion for an enhancement and is not under the scope of this report)

-- CrawfordCurrie - 01 Jun 2009

Enhancement suggestion is submitted: Item1676

-- PhilippLeufke - 01 Jun 2009

Doc update done

-- CrawfordCurrie - 11 Jun 2009