Author: poeml Date: Sun Nov 14 16:52:57 2010 New Revision: 8228 URL: http://svn.mirrorbrain.org/viewvc/mirrorbrain?rev=8228&view=rev Log: docs/configuration: - add a section with security notes regarding yum-style mirror lists Modified: trunk/docs/configuration.rst Modified: trunk/docs/configuration.rst URL: http://svn.mirrorbrain.org/viewvc/mirrorbrain/trunk/docs/configuration.rst?rev=8228&r1=8227&r2=8228&view=diff ============================================================================== --- trunk/docs/configuration.rst (original) +++ trunk/docs/configuration.rst Sun Nov 14 16:52:57 2010 _at_@ -263,8 +263,13 @@ expression that catches several things. These regular expressions are forced to be anchored to start and end, for - security reasons. (See below.) - + security reasons. + + When you use strings like ``10.0``, remember that the dot is a magic in + regular expressions (matching any character), so you should escape it with a + backslash (see examples below). + + See the next section for a discussion of security implications. .. describe:: subdir _at_@ -281,6 +286,9 @@ here. (*Not* with the second argument that yum passes in. That would make no sense -- since the order in which it places the values is not specified.) + It is not necessary to put ``()`` braces around the regexps, to declare them as a + "match group". *Every* regexp is a match group. + .. describe:: mandatory_file _at_@ -308,6 +316,14 @@ Things you should note: +- Symlinks are automatically handled. Remember that symlinks on mirrors are + invisible when scanning is done only via HTTP. To avoid having multiple trees + in your database, you should make sure that only "real" directories are + scanned via ``scan_top_include`` in :file:`/etc/mirrorbrain.conf`. + MirrorBrain canonicalizes all paths in the local filesystem before doing a + lookup in the database. Therefore, it doesn't matter if the query arguments + are in fact resolving to a symlink to a file tree. + - If no mirror is found in the database, any mirror configured via ``MirrorBrainFallback`` is considered. If none of the latter is configured, MirrorBrain at least returns its own URL, which, after all, will give the _at_@ -316,7 +332,44 @@ - The client needs to specify all arguments defined in a MirrorBrainYumDir, and all must match. - +Security considerations are discussed in the following section. + +Security notes +~~~~~~~~~~~~~~ + +- Because MirrorBrain uses strings that are passed in from clients, which could + potentially be malicious, these are handled with care. + + The normal resource limits of request processing in Apache apply. There is no + special sanitizing for '/../' elements in the path. + + Such arguments are accepted if the regular expression leaves room for that -- + for instance, if it contains wildcards as ``.*``. + + In any case, the resulting path is canonicalized in the local file system. It + is assumed that this cannot have bad effects. The most that an attacker can + achieve is that a path is canonicalized to an existing file on the server. + For Apache, this will mean that it (debug-) logs something like:: + + Error canonicalizing filename '/srv/nullmirrors/centos/5/os/x86_64/../../../../../../etc//repodata/repomd.xml' + + Canonicalization still fails because the file checked is always the one + specified by the admin. Even if the canonicalization would accidentally work, + no information about the file, or even about the success or failure, would be + returned to the client. + + Any error in canonicalization will stop processing of the request. Success + (let's assume it is possible) will result in the path being used in a + database SQL query, asking for mirrors that have the file, which is highly + unlikely. The SQL argument is passed to the database via a prepared statement + with bound parameters, so there is no chance for SQL injection attacks. + + (And all Apache logging undergoes escaping, excluding viewing logs etc. as + attack vector.) + + Still, it seems prudent to recommend to downright avoid the issue by using + more specific regular expressions that accept only what you want. + .. _styling_details_pages: _at_@ -387,7 +440,8 @@ mirror will still apply. Thus, this solution is more powerful than simple DNS-based round robin, or - random request distribution via mod_rewrite. + random request distribution via mod_rewrite. (Of course, contrary to those + other solutions, it requires tracking the mirrors' status and contents.) .. _`mod_setenvif`: http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html _______________________________________________ mirrorbrain-commits mailing list Archive: http://mirrorbrain.org/archive/mirrorbrain-commits/ Note: To remove yourself from this list, send a mail with the content unsubscribe to the address mirrorbrain-commits-request_at_mirrorbrain.orgReceived on Sun Nov 14 2010 - 15:53:04 GMT
This archive was generated by hypermail 2.3.0 : Mon Feb 20 2012 - 23:47:04 GMT