[mirrorbrain-commits] r8228 - /trunk/docs/configuration.rst

From: <poeml_at_mirrorbrain.org>
Date: Sun, 14 Nov 2010 15:53:00 -0000
Author: poeml
Date: Sun Nov 14 16:52:57 2010
New Revision: 8228

URL: http://svn.mirrorbrain.org/viewvc/mirrorbrain?rev=8228&view=rev
- add a section with security notes regarding yum-style mirror lists


Modified: trunk/docs/configuration.rst
URL: http://svn.mirrorbrain.org/viewvc/mirrorbrain/trunk/docs/configuration.rst?rev=8228&r1=8227&r2=8228&view=diff
--- trunk/docs/configuration.rst (original)
+++ trunk/docs/configuration.rst Sun Nov 14 16:52:57 2010
_at_@ -263,8 +263,13 @@
    expression that catches several things.
    These regular expressions are forced to be anchored to start and end, for
-   security reasons. (See below.)
+   security reasons.
+   When you use strings like ``10.0``, remember that the dot is a magic in
+   regular expressions (matching any character), so you should escape it with a
+   backslash (see examples below).
+   See the next section for a discussion of security implications.
 .. describe:: subdir
_at_@ -281,6 +286,9 @@
    here. (*Not* with the second argument that yum passes in. That would make no
    sense -- since the order in which it places the values is not specified.) 
+   It is not necessary to put ``()`` braces around the regexps, to declare them as a
+   "match group". *Every* regexp is a match group.
 .. describe:: mandatory_file
_at_@ -308,6 +316,14 @@
 Things you should note:
+- Symlinks are automatically handled. Remember that symlinks on mirrors are
+  invisible when scanning is done only via HTTP. To avoid having multiple trees
+  in your database, you should make sure that only "real" directories are
+  scanned via ``scan_top_include`` in :file:`/etc/mirrorbrain.conf`.
+  MirrorBrain canonicalizes all paths in the local filesystem before doing a
+  lookup in the database. Therefore, it doesn't matter if the query arguments
+  are in fact resolving to a symlink to a file tree.
 - If no mirror is found in the database, any mirror configured via
   ``MirrorBrainFallback`` is considered. If none of the latter is configured,
   MirrorBrain at least returns its own URL, which, after all, will give the
_at_@ -316,7 +332,44 @@
 - The client needs to specify all arguments defined in a MirrorBrainYumDir, and
   all must match.
+Security considerations are discussed in the following section.
+Security notes
+- Because MirrorBrain uses strings that are passed in from clients, which could
+  potentially be malicious, these are handled with care. 
+  The normal resource limits of request processing in Apache apply. There is no
+  special sanitizing for '/../' elements in the path. 
+  Such arguments are accepted if the regular expression leaves room for that --
+  for instance, if it contains wildcards as ``.*``.
+  In any case, the resulting path is canonicalized in the local file system. It
+  is assumed that this cannot have bad effects. The most that an attacker can
+  achieve is that a path is canonicalized to an existing file on the server.
+  For Apache, this will mean that it (debug-) logs something like::
+    Error canonicalizing filename '/srv/nullmirrors/centos/5/os/x86_64/../../../../../../etc//repodata/repomd.xml'
+  Canonicalization still fails because the file checked is always the one
+  specified by the admin. Even if the canonicalization would accidentally work,
+  no information about the file, or even about the success or failure, would be
+  returned to the client. 
+  Any error in canonicalization will stop processing of the request. Success
+  (let's assume it is possible) will result in the path being used in a
+  database SQL query, asking for mirrors that have the file, which is highly
+  unlikely. The SQL argument is passed to the database via a prepared statement
+  with bound parameters, so there is no chance for SQL injection attacks.
+  (And all Apache logging undergoes escaping, excluding viewing logs etc. as
+  attack vector.)
+  Still, it seems prudent to recommend to downright avoid the issue by using
+  more specific regular expressions that accept only what you want.
 .. _styling_details_pages:
_at_@ -387,7 +440,8 @@
    mirror will still apply. 
    Thus, this solution is more powerful than simple DNS-based round robin, or
-   random request distribution via mod_rewrite.
+   random request distribution via mod_rewrite. (Of course, contrary to those
+   other solutions, it requires tracking the mirrors' status and contents.)
 .. _`mod_setenvif`: http://httpd.apache.org/docs/2.2/mod/mod_setenvif.html

mirrorbrain-commits mailing list
Archive: http://mirrorbrain.org/archive/mirrorbrain-commits/

Note: To remove yourself from this list, send a mail with the content
to the address mirrorbrain-commits-request_at_mirrorbrain.org
Received on Sun Nov 14 2010 - 15:53:04 GMT

This archive was generated by hypermail 2.3.0 : Mon Feb 20 2012 - 23:47:04 GMT