-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The following votes were given:
+1 Alan Cabrera (transferred from vote on vcl-...@i.a.o list) +1 Kevan Miller (transferred from vote on vcl-...@i.a.o list) +1 Niall Pemberton +1 Ant Elder Leo Simons made some notable comments: > 3) There is no website yet? You really have to do a basic homepage > over at http://incubator.apache.org/vcl/, for example so that you can > point people at mirrors (see http://www.apache.org/dev/#mirror about > the mirroring system). Our plan is to copy the autoexport from our VCLDOCS confluence space as the content for our official web space. VCLDOCS was created recently, and we haven't started migrating our content there yet. For now, I've used a slightly modified version of the index page from our VCL confluence space to be a placeholder at the URL you've listed. Once we get the release out, I'll change the link for "VCL 2.1 Information" under Project Resources to not have the "(unreleased)" part. > 4) Since this is PHP code I did a cursory code review for SQL > injection / XSS / etc. It seems like that's had some attention, but at > a glance maybe its not quite perfect? For example checkAccess() in > utils.php: > > $xmlpass = $_SERVER['HTTP_X_PASS']; > if(get_magic_quotes_gpc()) > $xmlpass = stripslashes($xmlpass); > > where $xmlpass is used moments later to execute SQL: > > $query = "SELECT x.id " > . "FROM xmlrpcKey x, " > . "user u " > . "WHERE x.ownerid = u.id AND " > . "u.unityid = '$xmluser' AND " > . "x.key = '$xmlpass' AND " > . "x.active = 1"; > > Another piece of suspect code would be in submitLogin() in > authentication.php which does not appear to validate the > $_POST['password']. I'm by no means a PHP expert so I might be making > a fool of myself here, but better safe than sorry. So, can you explain > (preferably on, err, your website) what measures are in place to guard > against things like SQL injection and XSS? Wow - thanks for pouring over the code that carefully! I am the author of the php part of the code. Some time ago (before we even migrated to ASF), I went over everything to protect against SQL injection and XSS attacks. However, more recently, I discovered that the measures in place for protection messed up passwords with special characters in them in the places you've pointed out above. I made changes to allow the passwords to work. I've created a JIRA issue (VCL-274) to look in to making those parts secure again. We have several sites using VCL already from SVN. Given that and the fact that we did get enough votes to pass, I'm going to go ahead and get this release out so those sites can have something official, and then address the SQL injection/XSS hardening in Apache VCL 2.2. Thanks, Josh Thompson Apache VCL release manager - -- - ------------------------------- Josh Thompson Systems Programmer Advanced Computing | VCL Developer North Carolina State University josh_thomp...@ncsu.edu 919-515-5323 my GPG/PGP key can be found at pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFLF/7nV/LQcNdtPQMRAmn+AJ0XSR7T1TTGQlOgAxq+qYjHa5EduwCfZMtj OiA35oS97b/Bc7U//YC7WUE= =9aw2 -----END PGP SIGNATURE-----
