On Sun, 27 Feb 2011, Frederik Ramm wrote:
Well, you assume that OSM-SVN is much better than external plugins.
In OSM SVN, if someone uploads malicious code, at least we know who it was.
We can block the account. They will have difficulty repeating that.
As things are with JOSM trac, someone can change the address and version of a
popular plugin to his malicious code, and the malicious plugin will
automatically find its way onto the harddisks of JOSM users everywhere. And
No. He can't. He only can add a new one with a new name.
You should take a look again at what was written previously. The wiki
interface allows you add stuff. But this is not the interface which is
accessed by JOSM. JOSM accesses an compiled interface, which is created by
internal cron job. You can't overwrite the SVN-plugin links in a magic way
(if you can, then the cron job would be buggy and needs to be fixed).
This is not new - I know that. But it is a change that came gradually and
nobody ever raised a warning. In the beginning we just had a plugin list that
people could look at, and click on a link to download something. Later we
parsed the list automatically, and now we're even doing so in regular
intervals. In my eyes this is asking for trouble, and a security policy of
No. We don't do that. There is an important abstraction layer between the
Wiki and JOSM input data. I didn't introduce that because it thought I
need to change anything, but because I wanted to take away the chance to
do exactly what you propose here could be done.
As said - The time that JOSM parsed Wiki pages is long gone - except for
start page and help - which are only displayed in a limited web-display
(i.e. no javascript, ...), not parsed.
So the same for plugins. Our open policy caused a lot of plugins
introducing new features and attracted new developers. I don't want to
change this without a real reason.
Yeah, let's not get too distracted. This is not about stricter rules. It's
just about making sure that if config changes are made that affect JOSM
users, these config changes should not come from anonymous users. Or else, if
we don't want to do that, then we must at least invent something that shields
JOSM users from it - say, have a default mode in JOSM that is "only accept
configuration updates from registered JOSM contributors" vs. "accept
anonymous configuration updates from everyone", with the default being option
1.
Again I assume that this written with the idea behind, that anybody can
directly influence the data JOSM gets. This is not possible. You always
have to pass through validity checks. There are leaks there as well, but
they are much harder to explore than a simple "Edit the wiki".
The JOSM server cron can introduce a lot of additional checks in future to
prevent certain types of attacks when the need arises. One reason why the
server code is not public is that I want to prevent code analysis for
potential security issues. I know "security by obscurity" does not work,
but it at least increases the workload for the attacker and most tries to
fiddle around with issues therein would cause a lot of logs to pop up in
my mailbox.
Ciao
--
http://www.dstoecker.eu/ (PGP key available)
_______________________________________________
josm-dev mailing list
josm-dev@openstreetmap.org
http://lists.openstreetmap.org/listinfo/josm-dev
