Item1658: PublishPlugin enables non-privileged users to download exported webs - documentation needs improvement
Priority: Normal
Current State: Closed
Released In:
Target Release: n/a
Description
Previously exported webs are accessible by everyone. Even the download link in the history topic is visible by
nobody
users. This is a security bug, since read restrictions of topics become ineffective.
There should be an option to restrict access to the exported files. If this is too much work, it should at least be possible for the user to delete the generated files after having downloaded them.
BTW: Is there a recommended way for the admin for keeping the folder, where the exported webs are stored, clean? I guess some cron job...
But: in case of large webs, one could think of a DOS attack by just exporting the webs over and over again, leading to a full HDD.
The
PublishPlugin control panel (accessible to admins) is designed for managing published files. It is linked from the main publishing page.
The publish directory is deliberately left as a simple directory so that web admins can apply the web security appropriate to those directories. It is not the job of the
PublishPlugin to dictate Apache access controls; once a web is published, it is no longer under Foswiki control.
Yes, if you allow open access to publishing, a DOS attack is quite possible. But then, why would you do that? The plugin is designed primarily for use by responsible adults working behind a corporate firewall; I would never recommend anyone to make it available in the wild.
--
CrawfordCurrie - 29 May 2009
Well, I don't think it is as easy as you say. I agree, that we should at first only regard responsible adults as main users.
But: As long as they don't know, that they are creating possible security holes by just exporting a web, they can't act in a responsible way.
To me it is inconsistent to have fine grained permission settings in Foswiki on the one hand and a plugin which will ignore all these settings, after a web has been published. If we only consider responsible adults, we could discard the first as well.
In my eyes, each user should have control over the files he exported. Possible solutions would be:
- set the webservers file access permissions (probably too messy, I agree)
- allow setting an encryption password for the created files
- at least allow the user to delete the files he created
In any way, the user should be informed about the security issue.
--
PhilippLeufke - 31 May 2009
You are right, the documentation should be more explicit. But I need to reinforce the point that the
PublishPlugin is an
export tool. Once something is exported, it is no longer under the control of Foswiki. I have changed the headline accordingly.
One option we might consider is supporting a publish mode for single file publishing - pdf, zip, tgz - where the output is attached to a target topic. It would thus come under the scope of Foswiki access controls (this is just a suggestion for an enhancement and is
not under the scope of this report)
--
CrawfordCurrie - 01 Jun 2009
Enhancement suggestion is submitted:
Item1676
--
PhilippLeufke - 01 Jun 2009
Doc update done
--
CrawfordCurrie - 11 Jun 2009