On 9/28/05 1:14 PM, "Rob Church" <robchur(a)gmail.com> wrote:
Somewhere I suggested to someone else that you could
mash up the
scripts to
allow them to be run over the web. My recommendations
for
this would then
be:
* Take out the requirement for command-line parameters
and use
$_GET
variables to pass instructions to the script
* Also require a
nonadvertised secret value via $_GET, e.g. the script
must be called with
&mysecretkey=9509450-93059094503-90 in order to
work
* Only ever have the
maintenance folder uploaded when it's needed OR
protect it with HTTP folder
protection under Apache, etc.
The second bullet is not very secure with regard to (e.g.) net snooping.
This problem can be alleviated if you can run the site (or at least the
maintenance scripts) via SSL.
If not SSL, you could use this plan (more secure than passing a key in the
open, but more work):
A) Select a shared secret value (string).
B) Write a script to run locally on the desktop to create a Message
Authentication Code (MAC) by doing an MD5 hash on the parameters, plus a
timestamp, plus the shared secret. Pass the parameters, the timestamp and
the MAC in the query string (but NOT the shared secret... Duh!).
C) Include at the top of the maintenance script a step that recreates the
MAC using the parameters, the timestamp, and the shared secret (hard-coded
in the script, read in from a server-based file, etc.) If the recreated MAC
does not match the passed MAC, the message is inauthentic and execution
should stop. This step assures that whatever system prepared the MAC knew
the shared secret (which should be only your system, right?), or if not
(stolen token), that the whole query string was passed with no values
altered.
D) If the MAC's match, the timestamp should be checked against the current
time for a reasonable delay (we often use 90 seconds). This helps protect
against "replay" attacks, where a MAC is stolen and re-used.
It's really not that much code if you have an MD5-creating library available
(check Google). We have done it for other systems, but have no need for
MediaWiki (we just "ssh" in -- so lucky!).
-- Joshua