From 7813337cad75e71e76dbd1d4492ca0d53b523d61 Mon Sep 17 00:00:00 2001 From: Dieter Hametner Date: Thu, 6 Sep 2007 23:11:45 +0000 Subject: - First reaction to bug #387. This version has checked MapUrl mappings. --- README | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'README') diff --git a/README b/README index 3bb495a..6ca7176 100644 --- a/README +++ b/README @@ -151,4 +151,19 @@ build. It is only neccessary if the localized strings have changed or if translations have been added. So if one of above is true you can regenerate i18n-generated.h with the make target 'generate-i18n' prior to creating the live plugin. In this case you need the CPAN perl -module Locale::PO installed on your system. \ No newline at end of file +module Locale::PO installed on your system. + + +Security consideratios +====================== + +Live uses the tntnet MapUrl mechanism to map different request urls +to tntnet components. One component 'content.ecpp' delivers files +found in the file system. When given the wrong 'path' it could +retrieve any file from the server where live runs on. Therefore +content.ecpp needs to be enhanced to check the paths before returning +files. A second measure against missuse is to limit the mappings from +MapUrl to only valid files. In the current version this approach has +been taken. But due to the 'dificulty' to fully understand regular +expressions, this might get spoiled again by 'unchecked' code +contribution. -- cgit v1.2.3