Hi Brian, Having recently attended a session on security exploits in the JDK I'm realising the extent of possible security issues in JSPWiki by opening up the possibility of external jars and external configuration, not to mention plugins. For plugins that by their nature have security issues (such as our GroovyPlugin and JavaScriptPlugin) we have taken the approach of not simply enabling them via a property, as this would permit them to be made operational by a property exploit, but rather "permanently" disabling them via a private static member variable, such that the classes must be modified and recompiled in order to function.
I suppose the take-home message was that the open sandbox of the 90s has given way to the Java environment being a real target for security exploits that we probably shouldn't contribute to, i.e., we need to be very aware of side effects to our designs. Ichiro On Thu, Feb 27, 2014 at 11:46 AM, Brian Burch <br...@pingtoo.com> wrote: > On 26/02/14 19:03, Harry Metske wrote: > >> hmm, to be honest I never considered this situation of having custom tags >> in the plugin jar. >> I am not sure if that can be fixed, I would have to dive into that a bit >> more.. >> >> regards, >> Harry >> > > <snip/> > >> <and-so-on/> >>> >>> I wonder whether "war surgery" is an inevitable consequence of having >>> contributed plugins that are not distributed inside the jspwiki war >>> file? I >>> don't think my plugin is unusual by needing additional css styles and >>> tags, >>> as well as the plugin itself. At the moment, these all need to be grafted >>> into the deployed webapp directory structure. >>> >> > You know the old saying... when you are in a hole, STOP DIGGING! > > It was a good idea of yours to try finding a way to let users deploy a > contributed plugin outside the webapp, but your reply indicates it was not > a trivial task. > > That brings me back to a point I made in an earlier thread - perhaps it > should be easier to get a plugin accepted into the main distribution and > managed as part of jspwiki? > > All these "extra" plugins could be enabled/disabled via properties, > possibly using your ClassLoader concepts, so that disabled plugins don't > get loaded at all and so won't represent a security risk for users who > don't want them active? > > Thanks for your thoughts and help, > > Brian >
