On 11/14/06, Erik Moeller <erik(a)wikimedia.org> wrote:
On 11/14/06, Robert Scott Horning
<robert_horning(a)netzero.net> wrote:
Adding my own $0.02 here, this is indeed a bad
idea for security issues
alone. I completely agree here with Anthony's sentiments as Java has
some very significant security holes that would open up some incredible
liability and other problems if used on Wikimedia sites. The very
thought of allowing anonymous users to post Java source code that would
be served up through Wikimedia servers..... I can't think of a worse
possible problem. It makes all of the issues with hacking the front
page of Wikimedia projects seem very tame and mild by comparison.
We're talking about applets, wich have a specific sandbox security
model. Let's not discuss on the basis of FUD, please.
I know a pretty good deal about java's basic sandbox security model.
I'm pretty rusty, haven't written anything in java in a couple years,
but the basic concept of the security model probably hasn't changed
that much.
There are two issues here. The first is that the sandbox security
model is invariably broken from time to time. The second is that, in
default browser implementation, the security model relies entirely on
the fact that applets which come from a server were written by an
administrator of that server.
That said, I probably wasn't open-minded enough about this. Maybe
there's a way to solve problem #2 (and problem #1 will get better over
time). Hosting the applets on a completely separate webserver?
Probably not good enough, but it might be something to look into.
Providing a static wrapper applet which lowers its security privileges
and then embeds the untrusted class? More likely to succeed, but
harder to implement.
Just turning on the ability to upload applets would be a really really
bad idea. But something a little less than that could possibly work.
Anthony