On Mon, Apr 27, 2009 at 8:35 PM, Niels Mayer <nielsma...@gmail.com> wrote:
> Likewise a different user, e.g. 'ooserv' in the example above, should be >> the only user able to write in /home/ooserv and be the user running the >> OpenOffice server. If someone "hacks" via the OpenOffice server importer, at >> best they'll be able to get it to write some data into /home/ooserv, but it >> will not be able to change which web-apps are deployed on your server. The >> latter could potentially happen, in theory, because the OpenOffice server is >> running as same user as the Java web container. >> > Speaking of the above, can anybody think of any scenarios that would get the openoffice converter to output some embedded velocity that would then get called on every page view of the imported document? The last time I used the OOo converter, the resulting document presented with an empty creation- or modify- user field(bug?) and not the user that imported the document (e.g. "Creation by on Jan 27, 2009 17:58:17 GMT-08:00" in http://morgellonswiki.info/xwiki/bin/view/Sandbox/GLN_Int-J-Med-98#Information) If the document written with such an unexpected user field causes accidental invocation of $doc.saveWithProgrammingRights(), there would be an escalation of privilege issue that would allow destructive access to the database. Even with the document's creation/modify set correctly, a further potential scenario exists: ``Innocent-sounding user asks admin for help fixing imported document, admin "fixes" problem, but saves the document with programming rights (since he's admin). Now the previously disabled velocity hidden in the document starts working....'' In other words, it might be a good idea to take extraordinary "defensive programming <http://en.wikipedia.org/wiki/Defensive_programming>" measures to make sure $doc.saveWithProgrammingRights() can never be called on an imported document. Or generalizing further, that it shouldn't be called when an admin saves any document that wasn't previously saved with programming rights without a special notification indicating which other user's modifications you'd be trusting.... (¿Comments?) -- Niels http://nielsmayer.com _______________________________________________ devs mailing list devs@xwiki.org http://lists.xwiki.org/mailman/listinfo/devs
