On Thu, Mar 6, 2008 at 10:57 AM, Brad Nicholes <[EMAIL PROTECTED]> wrote: > -1 for now. The concern that I have is that by injecting the name of the > cluster as it is pulled from the query string, seems a little dangerous. > This would allow the realm to be altered in any way by just modifying the > query string. Not sure if that is a real issue or not, but it seems > dangerous. Can anybody else clarify this more?
It seems that the issue is that different clusters should exist in different authentication realms. Currently, they do not. IMO, this is both reasonable and desirable. I think that this patch would probably be okay, if there was some additional checking logic. Specifically, something to compare the value of $clustername against a list of valid NAME attributes in the <CLUSTER> tags. This way, if someone requests a cluster they know exists, it's okay, but they can't arbitrarily try against a non-existent realm. Of course, does that matter? To pass HTTP auth, you have to have a valid triplet of information in the form of realm:username:password (at least, that's my understanding of it). On the assumption that Apache does the right thing in the case of a bogus realm (cause authentication to fail), then I don't see much of a problem with this patch. The one other thing to double-check is that $clustername is properly escaped, since it will be displayed back to the user. So, a +0 from me. :-) -- Jesse Becker GPG Fingerprint -- BD00 7AA4 4483 AFCC 82D0 2720 0083 0931 9A2B 06A2 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Ganglia-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ganglia-developers
