On Tue, 04 Sep 2012 05:11:33 -0700, Jeroen De Dauw jeroendedauw@gmail.com wrote:
Hey,
The essential problem is that people can't get stuff through the
gatekeepers, so they come up with a workaround. Noting that the workaround is insecure and saying "just don't do that" doesn't solve the original need and won't help security. It's not clear to me what will, but the gatekeeping is an obvious start.
I don't think this extension really affects this. It is the same as having widgets implemented as extensions in that:
- They can only be enabled by administrative people
- They can be obtained from verified sources or from non-trusted ones
Widgets are inferior in that:
- An attacker compromising an admin account can put in arbitrary JS code
I forgot to mention it but here's another: * The XSS vectors in some widgets cannot be fixed without using php.
Also: * Concatenation of raw html leads to the creation of some really messy Widget implementations that are hard to review.
Widgets are superior in that:
- They cannot create PHP vulnerabilities
Sure... assuming there are no vulnerabilities in Smarty that we don't know about. But you only create PHP vulnerabilities when you use something related to eval, require with user input, save data to the filesystem, or are a malicious person. They're easy to weed out in simple Widget extensions that don't need to do any of this.
- Changes can be kept track of on-wiki
- The source is clearly visible to wiki users, increasing the scrutiny of
the code
Visibility of extensions in public repositories is fine. Clearly the in-page nature of these widgets has not helped theit scrutiny at all.
- They are easier to deploy for most people
- They encourage more collaboration compared to the tons of low qualify
and unmaintained single widget extensions
I do not believe that it is impossible for us to get good collaboration on small widget extensions. We need to make these cleaner to build. Let people jump into their development more easily. Improve the ability to find them. And make a place for users to request new ones.
It seems to me that this extension does not lose on security compared to regular extensions at all,
Sorry but the Widgets extension has no high-level declaration of output like we have in Html:: any relies entirely on the author knowing how to escape everything perfectly to avoid security holes. This is a major loss in security. There is a very good reason besides working on multiple engines that we work with databases using high-level abstraction rather than by concatenating SQL. High-level abstraction makes it easier to avoid holes, makes security implicit and cleaner than insecurity. And makes it possible to write cleanly nested code even when the output is a huge one-line mess.
and that it offers quite a few benefits for the kind of functionality it is intended to be used for.
The problem with creating a new system that has no gatekeepers
is that it encourages people who have no business writing code to end up doing so.
This system has as much gatekeeping as regular extensions do. I think several people are making assumptions here without having had a decent look at the extension.
This is clearly not the case. Because there are XSS vectors all over these widgets. Developers who understand security do not monitor code strewn about in piles of wiki pages. They in no way have the same level of gatekeeping as extensions.
Cheers
-- Jeroen De Dauw http://www.bn2vs.com Don't panic. Don't be evil. --
-- ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]