Re: [josm-dev] New Tested

Sat, 26 Feb 2011 05:20:26 -0800 

On Sat, 26 Feb 2011, Dirk Stöcker wrote:


 2. what parts of JOSM will not work as long as the server is down?



Every automatism (update-list, plugins-list, style-list, help and start 
page), and Yahoo download. For all of these users would need to do the manual 
way - download and install :-) The same as when using JOSM offline.


To make it clearer:

JOSM accesses following server values:
/plugins
  * collected list of plugins and their meta information
/plugin-icons.zip
  * collected list of plugin icons to make plugin table nicer
/styles
  * collected list of external styles to be used for installation
/presets
  * collected list of external presets to be used for installation

- StartupPage and Help as well as their translations for display
- Yahoo-WMS-Access-script


None of these are criticial infrastructure and all pass through certain 
layers of security checks, so malcontent must be carefully crafted. The 
easiest is to write a dangerous plugin (due to bugs in older versions you 
can produce exceptions (e.g. NPE) with crafted styles/presets as well).



Attacking through the web-services itself is much more complicated, as you 
need to trick Trac as well as the JOSM server checks and JOSM itself. Yes, 
it is possible, but even if I spend my whole days checking and fixing 
holes I can't prevent it.



Since the time we accessed the web-pages directly to extract 
information, there have been many improvements and the newest changes 
again reduce the influence of external hosted contents. It is much easier 
to have plugins in OSM-SVN than to develop them external, so nearly all of 
them are in OSM-SVN, where we can have a look at. Now we created a system, 
which makes adding styles/presets in the wiki much easier than handling 
them externally, so the number of externally managed content will decrease 
over time and it is easier to have a look at that stuff.


Ciao
--
http://www.dstoecker.eu/ (PGP key available)
_______________________________________________
josm-dev mailing list
josm-dev@openstreetmap.org
http://lists.openstreetmap.org/listinfo/josm-dev























					Reply via email to