On Tue, 04 Sep 2012 05:11:33 -0700, Jeroen De Dauw
<jeroendedauw(a)gmail.com> wrote:
Hey,
The essential problem is that people can't get stuff through the
gatekeepers, so they come up with a workaround.
Noting that the
workaround is insecure and saying "just don't do that" doesn't solve
the original need and won't help security. It's not clear to me what
will, but the gatekeeping is an obvious start.
I don't think this extension really affects this. It is the same as
having
widgets implemented as extensions in that:
* They can only be enabled by administrative people
* They can be obtained from verified sources or from non-trusted ones
Widgets are inferior in that:
* An attacker compromising an admin account can put in arbitrary JS code
I forgot
to mention it but here's another:
* The XSS vectors in some widgets cannot be fixed without using php.
Also:
* Concatenation of raw html leads to the creation of some really messy
Widget implementations that are hard to review.
Widgets are superior in that:
* They cannot create PHP vulnerabilities
Sure... assuming there are no
vulnerabilities in Smarty that we don't know
about.
But you only create PHP vulnerabilities when you use something related to
eval, require with user input, save data to the filesystem, or are a
malicious person.
They're easy to weed out in simple Widget extensions that don't need to do
any of this.
* Changes can be kept track of on-wiki
* The source is clearly visible to wiki users, increasing the scrutiny of
the code
Visibility of extensions in public repositories is fine. Clearly the
in-page nature of these widgets has not helped theit scrutiny at all.
* They are easier to deploy for most people
* They encourage more collaboration compared to the tons of low qualify
and
unmaintained single widget extensions
I do not believe that it is impossible for us
to get good collaboration on
small widget extensions.
We need to make these cleaner to build. Let people jump into their
development more easily. Improve the ability to find them. And make a
place for users to request new ones.
It seems to me that this extension does not lose on security compared to
regular extensions at all,
Sorry but the Widgets extension has no high-level
declaration of output
like we have in Html:: any relies entirely on the author knowing how to
escape everything perfectly to avoid security holes.
This is a major loss in security.
There is a very good reason besides working on multiple engines that we
work with databases using high-level abstraction rather than by
concatenating SQL.
High-level abstraction makes it easier to avoid holes, makes security
implicit and cleaner than insecurity. And makes it possible to write
cleanly nested code even when the output is a huge one-line mess.
and that it offers quite a few benefits for the
kind of functionality it is intended to be used for.
The problem with creating a new system that has no gatekeepers
is that it encourages people who have no business
writing code to
end up doing so.
This system has as much gatekeeping as regular extensions do. I think
several people are making assumptions here without having had a decent
look
at the extension.
This is clearly not the case. Because there are XSS vectors all
over these
widgets.
Developers who understand security do not monitor code strewn about in
piles of wiki pages.
They in no way have the same level of gatekeeping as extensions.
Cheers
--
Jeroen De Dauw
http://www.bn2vs.com
Don't panic. Don't be evil.
--
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://daniel.friesen.name]