Author: poeml
Date: Sun Nov 14 16:52:57 2010
New Revision: 8228
URL: http://svn.mirrorbrain.org/viewvc/mirrorbrain?rev=8228&view=rev
Log:
docs/configuration:
- add a section with security notes regarding yum-style mirror lists
Modified:
trunk/docs/configuration.rst
Modified: trunk/docs/configuration.rst
URL:
http://svn.mirrorbrain.org/viewvc/mirrorbrain/trunk/docs/configuration.rst?rev=8228&r1=8227&r2=8228&view=diff
==============================================================================
--- trunk/docs/configuration.rst (original)
+++ trunk/docs/configuration.rst Sun Nov 14 16:52:57 2010
@@ -263,8 +263,13 @@
expression that catches several things.
These regular expressions are forced to be anchored to start and end, for
- security reasons. (See below.)
-
+ security reasons.
+
+ When you use strings like ``10.0``, remember that the dot is a magic in
+ regular expressions (matching any character), so you should escape it with a
+ backslash (see examples below).
+
+ See the next section for a discussion of security implications.
.. describe:: subdir
@@ -281,6 +286,9 @@
here. (*Not* with the second argument that yum passes in. That would make no
sense -- since the order in which it places the values is not specified.)
+ It is not necessary to put ``()`` braces around the regexps, to declare
them as a
+ "match group". *Every* regexp is a match group.
+
.. describe:: mandatory_file
@@ -308,6 +316,14 @@
Things you should note:
+- Symlinks are automatically handled. Remember that symlinks on mirrors are
+ invisible when scanning is done only via HTTP. To avoid having multiple trees
+ in your database, you should make sure that only "real" directories are
+ scanned via ``scan_top_include`` in :file:`/etc/mirrorbrain.conf`.
+ MirrorBrain canonicalizes all paths in the local filesystem before doing a
+ lookup in the database. Therefore, it doesn't matter if the query arguments
+ are in fact resolving to a symlink to a file tree.
+
- If no mirror is found in the database, any mirror configured via
``MirrorBrainFallback`` is considered. If none of the latter is configured,
MirrorBrain at least returns its own URL, which, after all, will give the
@@ -316,7 +332,44 @@
- The client needs to specify all arguments defined in a MirrorBrainYumDir, and
all must match.
-
+Security considerations are discussed in the following section.
+
+Security notes
+~~~~~~~~~~~~~~
+
+- Because MirrorBrain uses strings that are passed in from clients, which could
+ potentially be malicious, these are handled with care.
+
+ The normal resource limits of request processing in Apache apply. There is no
+ special sanitizing for '/../' elements in the path.
+
+ Such arguments are accepted if the regular expression leaves room for that --
+ for instance, if it contains wildcards as ``.*``.
+
+ In any case, the resulting path is canonicalized in the local file system. It
+ is assumed that this cannot have bad effects. The most that an attacker can
+ achieve is that a path is canonicalized to an existing file on the server.
+ For Apache, this will mean that it (debug-) logs something like::
+
+ Error canonicalizing filename
'/srv/nullmirrors/centos/5/os/x86_64/../../../../../../etc//repodata/repomd.xml'
+
+ Canonicalization still fails because the file checked is always the one
+ specified by the admin. Even if the canonicalization would accidentally work,
+ no information about the file, or even about the success or failure, would be
+ returned to the client.
+
+ Any error in canonicalization will stop processing of the request. Success
+ (let's assume it is possible) will result in the path being used in a
+ database SQL query, asking for mirrors that have the file, which is highly
+ unlikely. The SQL argument is passed to the database via a prepared statement
+ with bound parameters, so there is no chance for SQL injection attacks.
+
+ (And all Apache logging undergoes escaping, excluding viewing logs etc. as
+ attack vector.)
+
+ Still, it seems prudent to recommend to downright avoid the issue by using
+ more specific regular expressions that accept only what you want.
+
.. _styling_details_pages:
@@ -387,7 +440,8 @@
mirror will still apply.
Thus, this solution is more powerful than simple DNS-based round robin, or
- random request distribution via mod_rewrite.
+ random request distribution via mod_rewrite. (Of course, contrary to those
+ other solutions, it requires tracking the mirrors' status and contents.)
.. _`mod_setenvif`: http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html
_______________________________________________
mirrorbrain-commits mailing list
Archive: http://mirrorbrain.org/archive/mirrorbrain-commits/
Note: To remove yourself from this list, send a mail with the content
unsubscribe
to the address mirrorbrain-commits-requ...@mirrorbrain.org
