Skip to main content.
home | support | download

Back to List Archive

Re: Insecure Indexing

From: Michael Peters <mpeters(at)not-real.plusthree.com>
Date: Tue Mar 01 2005 - 19:21:00 GMT
David L Norris wrote:

> What I think would be nice is a Perl filesystem indexer which is aware
> of permissions.  Should be easy to implement a comprehensive filesystem
> indexer using DirTree.pl as a base.  That would be my preference rather
> than adding ever-increasing hacks to Swish-e itself.

You mean an indexer that was aware of the web server's permissions? 
Which one? Apache, IIS, Websphere, etc? Web servers can ber configured 
in such convoluted ways that it would be difficult to just parse a conf 
file, not to mention custom auth handlers like one would right under 
mod_perl, and forget being able to use cookies to check if someone is 
'logged in'.

Or do you just mean that uses the same permissions as the webserver? 
This doesn't change anything. Outsiders could still see stuff in the 
index that wouldn't be available through the webserver. Besides, this 
can be done by just running the indexing job as the same user as the 
webserver.

Or are you asking something else that I'm just not seeing?

-- 
Michael Peters
Developer
Plus Three, LP
Received on Tue Mar 1 11:21:00 2005