The whole point of the recent changes is to make Freenet not a massive
local security hole:
- We were already refusing to overwrite files already on disk.
Unfortunately java doesn't let us do this atomically, so we were
vulnerable to symlink attacks. Hence the new bucket code to write to a
temp file and then rename over the target.
- We don't want clients to be able to upload any file that fproxy has
access to. Most people won't run it in a chroot. So I introduced the
downloadAllowedDirs and uploadAllowedDirs option so that you could
limit where clients can download from or upload to.
- These settings are worthless if they can simply be overwritten. So
"full access" means the ability to change config settings, as well as
restarting the node etc. It does NOT mean the ability to save stuff to
disk.
- One idea was to require a successful TestDDA before allowing direct
disk access in FCP: FCP clients can then only get the node to write to
or read from directories which they can themselves write to and read
from.
- Since this verification is impossible with Fproxy, maybe it is best to
disallow disk downloads from an untrusted fproxy client?
On Sat, Mar 24, 2007 at 06:20:45PM +0000, nextgens at freenetproject.org wrote:
> Author: nextgens
> Date: 2007-03-24 18:20:45 +0000 (Sat, 24 Mar 2007)
> New Revision: 12320
>
> Modified:
> trunk/freenet/src/freenet/clients/http/FProxyToadlet.java
> Log:
> Don't allow downloads to the download directory if we are in limited mode
>
> Modified: trunk/freenet/src/freenet/clients/http/FProxyToadlet.java
> ===================================================================
> --- trunk/freenet/src/freenet/clients/http/FProxyToadlet.java 2007-03-24
> 18:18:42 UTC (rev 12319)
> +++ trunk/freenet/src/freenet/clients/http/FProxyToadlet.java 2007-03-24
> 18:20:45 UTC (rev 12320)
> @@ -394,15 +394,17 @@
> HTMLNode optionForm = option.addChild("form",
> new String[] { "action", "method" }, new String[] {'/' + key.toString(),
> "get" });
> optionForm.addChild("input", new String[] {
> "type", "name", "value" }, new String[] { "hidden", "max-size",
> String.valueOf(e.expectedSize == -1 ? Long.MAX_VALUE : e.expectedSize*2) });
> optionForm.addChild("input", new String[] {
> "type", "name", "value" }, new String[] { "submit", "fetch", "Fetch anyway
> and display file in browser" });
> - option = optionList.addChild("li");
> - optionForm = ctx.addFormChild(option,
> "/queue/", "tooBigQueueForm");
> - optionForm.addChild("input", new String[] {
> "type", "name", "value" }, new String[] { "hidden", "key", key.toString() });
> - optionForm.addChild("input", new String[] {
> "type", "name", "value" }, new String[] { "hidden", "return-type", "disk" });
> - optionForm.addChild("input", new String[] {
> "type", "name", "value" }, new String[] { "hidden", "persistence", "forever"
> });
> - if (mime != null) {
> - optionForm.addChild("input", new
> String[] { "type", "name", "value" }, new String[] { "hidden", "type", mime
> });
> + if(ctx.isAllowedFullAccess()) {
> + option = optionList.addChild("li");
> + optionForm = ctx.addFormChild(option,
> "/queue/", "tooBigQueueForm");
> + optionForm.addChild("input", new
> String[] { "type", "name", "value" }, new String[] { "hidden", "key",
> key.toString() });
> + optionForm.addChild("input", new
> String[] { "type", "name", "value" }, new String[] { "hidden", "return-type",
> "disk" });
> + optionForm.addChild("input", new
> String[] { "type", "name", "value" }, new String[] { "hidden", "persistence",
> "forever" });
> + if (mime != null) {
> + optionForm.addChild("input",
> new String[] { "type", "name", "value" }, new String[] { "hidden", "type",
> mime });
> + }
> + optionForm.addChild("input", new
> String[] { "type", "name", "value" }, new String[] { "submit", "download",
> "Download in background and store in downloads directory" });
> }
> - optionForm.addChild("input", new String[] {
> "type", "name", "value" }, new String[] { "submit", "download", "Download in
> background and store in downloads directory" });
> optionList.addChild("li").addChild("a", new
> String[] { "href", "title" }, new String[] { "/", "FProxy home page" },
> "Abort and return to the FProxy home page");
>
> writeReply(ctx, 200, "text/html", "OK",
> pageNode.generate());
> @@ -453,7 +455,7 @@
> infoboxContent = infobox.addChild("div",
> "class", "infobox-content");
>
> HTMLNode optionList =
> infoboxContent.addChild("ul");
> - if(!e.isFatal()) {
> + if(!e.isFatal() && ctx.isAllowedFullAccess()) {
> option = optionList.addChild("li");
> HTMLNode optionForm =
> ctx.addFormChild(option, "/queue/", "dnfQueueForm");
> optionForm.addChild("input", new
> String[] { "type", "name", "value" }, new String[] { "hidden", "key",
> key.toString() });
>
> _______________________________________________
> cvs mailing list
> cvs at freenetproject.org
> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/cvs
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL:
<https://emu.freenetproject.org/pipermail/devl/attachments/20070324/e1d631d7/attachment.pgp>
