Hi Wolfgang,
Am 01.03.10 16:31, schrieb Wolfgang Jeltsch:
Am Montag, 1. März 2010 15:38:13 schrieb Andreas Hartmann:
Hi Wolfgang,
Am 01.03.10 14:20, schrieb Wolfgang Jeltsch:
the root page of the Lenya 2.0.3 servlet lets you create new publications
without requiring any authentication. Doesn’t this mean that an attacker
could cause a denial of service by repeatedly creating publications?
your site should not make this page accessible to the public. Usually
only the pages in<pub>/live are accessible without authentication.
Since the "New publication" page is not in a publication and therefore
cannot be protected using the standard Lenya authentication and
authorization mechanisms, you should protect it using digest auth or a
similar mechanism. Beware that the usecase can also be called from other
URIs.
I don’t really understand your solution. Do you mean that I should protect all
pages except those in the live area by authentication at the HTTP level?
no, this applies only to pages outside publications. The pages in
publications can be protected by the standard Lenya access control
mechanism.
[…]
In my opinion, Lenya pages should be accessible by everyone in principle. If
they have to be protected then Lenya should take care of this. As far as I can
see, this works for everything that is related to a specific publication. Alas,
it doesn’t work for the creation of a new publication.
The usecase invocation for document-agnostic usecases is usually
orthogonal to the URI space. So you could deny access to everything
outside publications and make the createPulicationFromTemplate usecase
available inside a publication, e.g. via a menu item.
What URLs have to be blocked for the general public so that ordinary internet
users cannot modify data on the server (like the publications store)? Is there
any documentation on the web that documents which URLs are “unsafe”?
In the standard Lenya distribution there are no unsafe documents
(AFAIK), since all modifications in the repository are executed by
usecases. The usecase policies define the write protection specifics for
your Lenya application.
Unfortunately, the usual pages about setting up Lenya do not seem to mention
the need for extra authentication at all. So it was only after more than a
year of Lenya usage that I discovered this problem. :-(
I think it is mentioned somewhere, but we should probably make it more
prominent. Any documentation patches are of course very welcome.
-- Andreas
--
Andreas Hartmann, CTO
BeCompany GmbH
http://www.becompany.ch
Tel.: +41 (0) 43 818 57 01
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
