You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@incubator.apache.org by Josh Thompson <jo...@ncsu.edu> on 2009/12/03 19:09:34 UTC
Re: [RESULT][VOTE] release Apache VCL 2.1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The following votes were given:
+1 Alan Cabrera (transferred from vote on vcl-dev@i.a.o list)
+1 Kevan Miller (transferred from vote on vcl-dev@i.a.o list)
+1 Niall Pemberton
+1 Ant Elder
Leo Simons made some notable comments:
> 3) There is no website yet? You really have to do a basic homepage
> over at http://incubator.apache.org/vcl/, for example so that you can
> point people at mirrors (see http://www.apache.org/dev/#mirror about
> the mirroring system).
Our plan is to copy the autoexport from our VCLDOCS confluence space as the
content for our official web space. VCLDOCS was created recently, and we
haven't started migrating our content there yet. For now, I've used a
slightly modified version of the index page from our VCL confluence space to
be a placeholder at the URL you've listed. Once we get the release out, I'll
change the link for "VCL 2.1 Information" under Project Resources to not have
the "(unreleased)" part.
> 4) Since this is PHP code I did a cursory code review for SQL
> injection / XSS / etc. It seems like that's had some attention, but at
> a glance maybe its not quite perfect? For example checkAccess() in
> utils.php:
>
> $xmlpass = $_SERVER['HTTP_X_PASS'];
> if(get_magic_quotes_gpc())
> $xmlpass = stripslashes($xmlpass);
>
> where $xmlpass is used moments later to execute SQL:
>
> $query = "SELECT x.id "
> . "FROM xmlrpcKey x, "
> . "user u "
> . "WHERE x.ownerid = u.id AND "
> . "u.unityid = '$xmluser' AND "
> . "x.key = '$xmlpass' AND "
> . "x.active = 1";
>
> Another piece of suspect code would be in submitLogin() in
> authentication.php which does not appear to validate the
> $_POST['password']. I'm by no means a PHP expert so I might be making
> a fool of myself here, but better safe than sorry. So, can you explain
> (preferably on, err, your website) what measures are in place to guard
> against things like SQL injection and XSS?
Wow - thanks for pouring over the code that carefully! I am the author of the
php part of the code. Some time ago (before we even migrated to ASF), I went
over everything to protect against SQL injection and XSS attacks. However,
more recently, I discovered that the measures in place for protection messed
up passwords with special characters in them in the places you've pointed out
above. I made changes to allow the passwords to work. I've created a JIRA
issue (VCL-274) to look in to making those parts secure again.
We have several sites using VCL already from SVN. Given that and the fact
that we did get enough votes to pass, I'm going to go ahead and get this
release out so those sites can have something official, and then address the
SQL injection/XSS hardening in Apache VCL 2.2.
Thanks,
Josh Thompson
Apache VCL release manager
- --
- -------------------------------
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University
Josh_Thompson@ncsu.edu
919-515-5323
my GPG/PGP key can be found at pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFLF/7nV/LQcNdtPQMRAmn+AJ0XSR7T1TTGQlOgAxq+qYjHa5EduwCfZMtj
OiA35oS97b/Bc7U//YC7WUE=
=9aw2
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org