[Zope-dev] Re: Unsecure design of ExternalFile

Craeg K Strong cstrong@arielpartners.com
Fri, 08 Nov 2002 14:30:51 -0500


OK

How about this for the TODO list for ExternalFile:

Create a facility whereby ExternalFiles must be created
within a set of allowed directory(ies), specified in

.../etc/allowedDirectories.txt

For example:
#
# helpful comment goes here
#
/     # allow everything
#

Or:
#
/home/webserver/public  # public stuff
/archive/repository/    # read only dir full of downloaded PDFs
/space/temp             # temporary area for testing

Or:
#
c:\Documents And Settings  # docs dir

- the create dialog will list the current set of allowed directories,
but not allow changes (changes must be done by hand to the txt file)

- there is no default for allowedDirectories.txt
I will ship it with no entries,
meaning that the product is effectively disabled by default

- If no directory is set, ExternalFile.py will raise an Exception at
Zope startup time, indicating that at least one allowdir must be set
The exception report will include appropriate instructions

Comments?

--Craeg

Martijn Pieters wrote:
> On Thu, Nov 07, 2002 at 11:24:35AM -0500, Craeg K Strong wrote:
> 
>>What would you recommend?  Perhaps there should be
>>a predefined list of "forbidden" directories for ExternalFiles?
>>The problem is that-- in the development scenario-- the
>>very things you mention below might be what you
>>legitimately *want* to do as a developer.
> 
> 
> 'Jail' the base directory. Files can only be referenced within the jail.
> Relative paths outside the jail are forbidden. This is what FTP and web
> servers do, and so should ExternalFiles. A full path (starting with a '/')
> then starts at the base directory.
> 
> The base directory should not be configurable through the web. Rather, use
> an environment variable. Only one directory is needed, as files that need to
> be accessible can be copied or symlinked.