You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@shindig.apache.org by so...@web.de on 2011/06/08 12:58:50 UTC

Making public shindig secure?

Hello everyone,
 
I’m currently evaluating shindig as Open Social Container for our project which should be a public site.
I checked the code and I have the following security concern:
In my opinion u could use at least the servlets GadgetRenderingServlet, ConcatProxyServlet and JsServlet to request any resource from the internet via the shindig server. For example by using:
http://opensocial.test:8080/shindig/gadgets/concat?container=default&gadget=http%3A%2F%2Fgadget.test%3A8080%2Fwebapp%2Fgadget&debug=1&nocache=1&type=js&1=http%3A%2F%2Fwww.google.com
to request the Google page.
This could be used for local IPs to, like 1=http%3A%2F%2Flocalhost%2Fsecret
 
Whats the proposed way to make this secure?
I can think about the following ways:
1.)    Use a filter for the servlets und restrict the access by programmatically checking the parameters
2.)    Use a firewall to restrict access for the webapp container
 
Thanks and best regards
Tom
___________________________________________________________
Schon gehört? WEB.DE hat einen genialen Phishing-Filter in die
Toolbar eingebaut! http://produkte.web.de/go/toolbar