[Date Index][Thread Index]
[Date Prev][Date Next][Thread Prev][Thread Next]

Re: Filtering with wml, security considerations?

Hello Jim Hebert, in a previous mail you wrote:

> I'm working on a project, which, in a nutshell, would allow people to type
> in some text in a form and have it appear as a web page. I would like to
> make the wml facilities availible to persons, within the confines of
> security. The cgi would presumably take the input, pipe it to wml, and
> grab the output for posting as it saw fit. I'll bet I'll have to turn off
> some of the passes...
> I'm pertty sure e-perl is out, right? I don't want people to be able to
> execute commands on the system by embedding some e-perl that creats a
> setuid shell for the userid running the cgi.
> OTOH, I'm not concerned all *that* much about
> things like #include including /etc/passwd -- call
> I recall there being some stuff in m4 that I might not like too -- that
> would let them run arbitary commands on the machine. Right?
> What else are potential gotchas, and solutions? I assume for many of these
> things disallowing certain passes to take place with be the big answer.
> However, perhaps some standard neutralizer could be prepended to the user
> input would would alias away or otherwise hide some of the problematic
> commands? Perl is probably highly problematic and I'll bet it has to be
> turned off, but perhaps there'd be a way to alias away (or equivalent) the
> 1 or 2 bad m4 commands or other problems?

In a nusthell, Pass 2 (Meta-HTML), Pass 3 (ePerl) and Pass 4 (GNU m4) are
problematic for you, because all provide shell command execution. Pass 1 (IPP)
can also be risky but as you said you can live with it. All other passes 5-9
should be ok for you. BUT: Is is useful to only use Pass 1,5-9?  When you
accept that you can use core-functionalities of these passes, only!  Because
every WML include file uses Pass 1 and 2 and 50% of them also use Pass 3. So,
you can leave passes 2-4 out, but then WML's usefulness very limited.

So, the best solution would be really to use a wrapper like the "tagfilter"
idea from Fritz Zaucker and me which we discussed the last days.  This one can
be used to only allow those stuff (we though about tags but we can program it
so we can match any stuff) you really want. And then feed this to WML while
using all its power to create the final page.

I really had to say that I never thought about this case because from my point
of view WML is a tool for experts who know what they are doing and not vor Joe
Average. So, whenever you want to give WML to the average user while you don't
trust them you need some sort of frontend and only use WML as the generation
backend. Because WML is far away from being a secure tool. It wasn't designed
to be such a secure tool, so even when we try to disable some stuff we would
have security holes. So, best solution is when someone of you writes a generic
filtering frontend which can be configured to only accept plain text and a
limited set of meta commands (tags, etc.).

                                       Ralf S. Engelschall
Website META Language (WML)                www.engelschall.com/sw/wml/
Official Support Mailing List                   sw-wml@engelschall.com
Automated List Manager                       majordomo@engelschall.com