Hi, Carsten Ziegeler schrieb: > Bertrand Delacretaz wrote: >> Hi Jukka, >> >> On Wed, Apr 22, 2009 at 12:25 PM, Jukka Zitting <[email protected]> >> wrote: >>> ...I was thinking about the implications of giving a user write access to >>> a subtree of the repository. With that access the user could now >>> upload a new script and create a node that invokes that script when >>> rendered.... >> Requiring scripts to be stored under /libs or /apps, as a first step >> until we have something better, could help here, as website users are >> not supposed to be able to write to these locations. >> > I'm not sure if I understand the whole discussion here. But scripts are > only picked > up from configured paths (libs and apps by default). So as long as the > user is not allowed to write in these locations, everything should be fine.
Well, there is a chance here, of course: Consider the node is created as /content/bad with resource type "/content/malicious" and the script as /content/malicious/html.esp. Then the request to /content/bad.html would in fact call the script. This is kind of the security downside of the full flexibility and openness we have .... Of course, restricing scripts to live in side any of the ResourceResolver.getSearchPath() or defining an excecution permission would help resolve this issue. I personally would prefer the execution permission approach (though it may fall short of scripting languages calling into the resource resolver (or the repository directly) to load included scripts ....) But it would not prevent a properly authorized user from writing and using malicious script in /apps/sling/servlet/default/html.esp. Regards Felix
