Skip to main content.
home | support | download

Back to List Archive

Re: Swish on Windows

From: David L Norris <dave(at)not-real.webaugur.com>
Date: Sat Aug 30 2003 - 11:26:41 GMT
On Sat, 2003-08-30 at 04:24, Malcolm Miles wrote:
> >Right now you'd end up with a screenful of
> >dialog boxes on the server console.
> 
> I am looking at making some changes to remove these message boxes for
> ASP use (see my other message re compiling SwishCtl). 

It could use better error handling for sure.

> I would also like to be able to select a specific index file to use.
> While this may be unsafe when used on the client side it should be
> safe when used in an ASP script.

Is there some way to detect in which context its being used?  I know
almost nothing about ActiveX controls, unfortunately.

I read through the security guidelines and the main concern seems to be
to prevent repurposing.  With that in mind there's no real reason it
can't have files passed directly from the script.  Actually, the
security guide simply says "arbitrary files."  So, there might be some
middle ground which would allow the control to read filenames from the
script.

For general use, my concern would be with allowing full pathnames in any
context.  It might be fine in certain cases where you have control of
all the scripts on the system.  But it seems like someone might want to
give, for example, paying customers access to the ActiveX control on
their websites.  In which case it becomes a major security issue (since
I presume it will would likely run as the System user).  Let's say
someone writes a sloppy script that allows the entire world to specify
the index filename.  Not good at all.  It would probably do nothing but
generate an error; but that error might be used to leak the existance of
a particular file useful for some other attack vector.

With all that rambling in mind...  What I've been pondering is to create
a registry key for each directory where you would store index files. 
(i.e. multiple IndexLocation entries).  (Greg has implemented something
like this but I've probably not added his patch yet.)  In a hosting
environment this could be used to provide each user with their own
SWISH-E index directory in their home directory (perhaps outside the web
tree).  The registry entry might be their username (and only an admin
can add entries since it's in HKLM).  Now, let's say we make IndexFiles
a list of filenames instead of a registry key.  We set forth some simple
index file naming rules and reject with a fatal error an IndexFiles
argument which violates the rules.  Init might be called like this
Init("myusername", "docs test etc").  The rules might only allow A-Z and
maybe a single '.' in the index file names.  So, now we can specify the
filenames within the script but they aren't arbitrary since they are
restricted to a single directory (and our restrictive filename rules
prevent .., ..., / type attacks).

As I said, I know almost nothing about ActiveX and you may well have
some way around all that.

-- 
 David Norris
  http://www.webaugur.com/dave/
  ICQ - 412039
Received on Sat Aug 30 11:28:13 2003