Only myLeoSettings.leo or leoSettings.leo can be allowed to enable settings
that could cause code to be executed automatically. Previously, Leo
checked only the following settings:
- @bool scripting-at-script-nodes (mod_scripting.py)
- @bool nodewatch-autoexecute-scripts (nodewatch.py)
*Security issues in mod_http.py*
There are two settings in mod_http.py that have serious security
implications:
*@bool http-allow-remote-exec*
This setting enables the get_response method. It's not clear whether this
is ever active.
*@data mod-http-script*
This setting definitely is used. When a web page loads, this setting
"injects" the contents of the @data node into the <script> element of the
web page! The danger is as follows. Suppose:
1. mod_http.py is enabled, say in x.leo, or worse, in myLeoSettings.leo.
2. The user downloads a .leo file containing a malicious @data
mod-http-script.
3. The mod_http plugin will execute this script (in the browser) the next
time the user opens the web page created by mod_http.
At present, the new security check in mod_http.py only happens when the
page loads or reloads, so it doesn't always show up. This isn't best, but
it isn't easy to check settings early in the load process.
*How to protect settings*
The new g.issueSecurityWarning function provides a standard way of
reporting security violations. For example:
c = g.app and g.app.log and g.app.log.c
key = g.app.config.munge(setting)
if c and key == 'httpscript' and c.config.isLocalSetting(key, 'data'):
g.issueSecurityWarning('@data http-script')
return ""
*Security problems for abbreviations*
@data abbreviations-subst-env defines executable python code as the
environment for abbreviations.
This setting is useful but it could be lethal in the hands of a hacker. *Leo
must protect this setting!*
*Implications for leowapp.py*
leowapp.py will not define javascript in a setting! Instead, we'll use
leowapp.js, tracked by git.
*Summary*
@data nodes that contain *any *kind of executable code are dangerous, as
are @bool settings that allow scripting. These settings should only be
defined in myLeoSettings.leo, with defaults, if any, in leoSettings.leo.
The leowapp plugin will contain no such dangerous settings.
At present, @data abbreviations-subst-env is an invitation to hackers. Leo
will soon protect this setting.
Edward
--
You received this message because you are subscribed to the Google Groups
"leo-editor" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/leo-editor.
For more options, visit https://groups.google.com/d/optout.
