>>> On 3/6/2008 at 10:12 AM, in message
<[EMAIL PROTECTED]>, "Jesse Becker"
<[EMAIL PROTECTED]> wrote:
> On Thu, Mar 6, 2008 at 10:57 AM, Brad Nicholes <[EMAIL PROTECTED]> wrote:
>> -1 for now. The concern that I have is that by injecting the name of the
> cluster as it is pulled from the query string, seems a little dangerous.
> This would allow the realm to be altered in any way by just modifying the
> query string. Not sure if that is a real issue or not, but it seems
> dangerous. Can anybody else clarify this more?
>
> It seems that the issue is that different clusters should exist in
> different authentication realms. Currently, they do not. IMO, this
> is both reasonable and desirable.
>
> I think that this patch would probably be okay, if there was some
> additional checking logic. Specifically, something to compare the
> value of $clustername against a list of valid NAME attributes in the
> <CLUSTER> tags. This way, if someone requests a cluster they know
> exists, it's okay, but they can't arbitrarily try against a
> non-existent realm. Of course, does that matter? To pass HTTP
> auth, you have to have a valid triplet of information in the form of
> realm:username:password (at least, that's my understanding of it). On
> the assumption that Apache does the right thing in the case of a bogus
> realm (cause authentication to fail), then I don't see much of a
> problem with this patch.
>
> The one other thing to double-check is that $clustername is properly
> escaped, since it will be displayed back to the user.
>
> So, a +0 from me. :-)
>
The cluster name is being properly escaped so I don't think that is an issue.
But I would feel a little better about this patch if your suggestion to check
against the known cluster names were done. Even if Apache does the right
thing, there is no validation of the realm unless the Ganglia code does it.
This would mean that the realm part of the triplet would be bogus because
regardless of the username and password, the realm could be modified to
anything.
Ramon,
Can you rework the patch and add a cluster name check?
Brad
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Ganglia-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ganglia-developers
