Stefano Mazzocchi wrote:
Tony Collen wrote:
Browsing the livesites, on a whim I tried this URL:
http://dir.salon.com/?cocoon-view=content
and it worked! Obviously someone deploying Cocoon should be aware that this view is "on" by default, and may reveal data in your page you might not want. I have yet to see "bad" data get exposed, but there's always the possibility.
Well, the cocoon "view" was designed to be a standard way for external crawlers or spiders to gather 'semantically meaningful' data from URLs served by cocoon.
yes, there is the possibility of bad data exposed.
<snip/>
So, at the end, I would do:
1) turn off views from the default sitemap. NOTE: this will turn off the ability to make static snapshots of your webapp from the cocoon CLI!
2) write a pretty detailed comment in the default sitemap telling what views are, how they work briefly and what potential security issues do they make.
3) keep the view parameter name hardcoded as it is.
Thoughts? anybody against this?
What about simply adding an IP matcher in the view that would restrict access to the view to a reserved set of clients (localhost by default), and direct others to a nice page, or simply a 404 error ? This would leave the door open to local debugging and crawnling, and would firmly close it to remote "attacks".
I don't see any need for #1 because
- isn't it used by a lot of samples?
- it gives the impression that they are not meant to be public and normally expose dangerous data (which they don't - probably)
If the warning is there, and information/ability is provided on strategies to secure views (like Sylvain's good suggestion) that's enough IHMO.
By the way, I think there are bigger security problems in cocoon...
Geoff
