Previous post highlighted that Novelang should not allow a reference to a directory out of its project. We'll call such a directory an external directory.
The reason is, Novelang could be used (in a distant future) as an embedded component in a Web application where users upload their own source documents and stylesheets. A malicious stylesheet could exploit some special FOP behavior to embed a file that it is not supposed to, like password file, or just another user's document.
By now Novelang just filters HTTP queries, especially those for directory listing. There is no check on the path on images or fonts that FOP tries to embed.
Enforcing file access restriction is a great subject by itself. How to handle resource access, depending on current Novelang project? How to test security in general? Those points arise as I'm writing, but the initial topic of this post is: how to
let a project access to a directory out of its scope, let's say, in case of multiple projects sharing same datas like fonts on a privately-owned local filesystem?
This may be achieved using Un*x symbolic links, depending on Java support them. A more portable solution could be to set a system option like:
external.allfonts=../shared/all-the-fonts
external.logos=../shared/images/my-logo
external.greetings=../shared/text
"System option" means it is defined
outside of a Novelang book (through command-line or system properties). Then, one can reference suchdirectories as any other directory inside the project using variable expansion:
insert file:${extdir:greeting}/salute.nlp
Too bad! Until now I avoided variable expansion which makes everything unreadable. Variable expansion makes sense if you want to restrict access to images in a given context, while not giving access to greetings. This doesn't make sense. After all, it's enough to give access to some external directories with no other kind of ceremony:
externaldirectory=../common
externaldirectory=../../Shared/images
Then we let a Novelang book or stylesheet reference them:
insert file:../common/text/salute.nlp
By the way, this could be done using filesystem's permissions, but they are not portable accross systems. Anyways, as I don't see many use cases, implementing such a feature has the lowest priority by now.
No comments:
Post a Comment