You are here: Foswiki>Tasks Web>Item8430 (05 Jul 2015, GeorgeClark)Edit Attach

Item8430: registerRESTHandler default authenticate option is insecure

pencil
Priority: Enhancement
Current State: Closed
Released In: 2.0.0
Target Release: major
Applies To: Engine
Component: FoswikiFunc, FoswikiUIRest
Branches:
Reported By: PaulHarvey
Waiting For:
Last Change By: GeorgeClark
Working on making PermLinkPlugin work for WikiGuest (permalink GUIDS are accessed via a rest handler), I discovered the following:
  • Out of the box, foswiki lists rest in auth scripts in configure. So this bug does not affect most installations.
  • Removing rest from auth scripts allowed WikiGuest to access the rest handler without any auth challenge. The following two registerRESTHandler calls behave identically, on both release and trunk:
    1. Foswiki::Func::registerRESTHandler( 'view', \&rest_view );
    2. Foswiki::Func::registerRESTHandler( 'view', \&rest_view, authenticate => 0 );
  • The expected behaviour is that (1) should authenticate by default, and behave identically to the following:
    • Foswiki::Func::registerRESTHandler( 'view', \&rest_view, authenticate => 1 );

I get a 401 for WikiGuest on both release and trunk only when passing authenticate => 1.

The current situation is that before I remove rest from authscripts on a live production site, I must audit all extensions that are in use which have rest handlers, that they call with authenticate => 1 unless they have a good reason not to.

-- PaulHarvey - 27 Jan 2010

Your logic is impeccable; as was mine when I left registerRESTHandler with the existing behaviour, when I added authenticate => 1. Of course I didn't think it through sufficiently. Confirmed.

-- CrawfordCurrie - 27 Jan 2010

Yeah, but this is why I would call it a legacy feature, rather than a security bug smile I raised this point many times though, because an attacker could, for example, trigger your KinoSearch indexing every second, without even being logged in...

But I guess defaulting it to authenticated is OK, even thought it won't solve enough me thinks. Plugins with REST handlers might have to provide proper authentication ways, to avoid that one can, for example, view a topic using a REST handler, even though the topic is supposed to be restricted.

-- OlivierRaginel - 27 Jan 2010

I suppose it would be nice for there to be ACLs on rest handlers.

Anyway, it looks like the original unit tests were supposed to fail as the current behaviour stands; it's just that it didn't work out that way.

I understand rest handlers can easily be dangerous. Regardless, the current behaviour makes me nervous.

-- PaulHarvey - 27 Jan 2010

Changing this to 1.1/minor. We had the insecure defaults documented in Foswiki::Func, but the tests weren't written that way (failed silently anyway).

We also have validate. And it occurs to me we should protect http_method to only allow POST by default too.

So this is what I propose happens by default - no real behaviour changes here, just the defaults when registering a REST handler:
  • Require auth
  • Only POST method allowed
  • Validation by default

It should be trivial to fix any plugins that assume the old defaults. Plugin authors will have to explicitly override these "more secure" defaults when writing for 1.1, which can only be a good thing.

I don't think that's a big change, let me know if this needs a feature proposal.

Fixing tests.

-- PaulHarvey - 07 Mar 2010

Deferred for post-1.1. I have a pretty comprehensive set of tests going but it's not all working happily. If somebody wants a diff to get this into 1.1 please let me know.

-- PaulHarvey - 02 Apr 2010

Any news on this? Almost two years without progress. Is it still an issue? Please clarify if target is 1.2 or 2.0.

-- GeorgeClark - 07 Mar 2012

I got stuck at the time, have since lost the code related to this effort and will try again for 1.2.

-- PaulHarvey - 07 Mar 2012
 

ItemTemplate edit

Summary registerRESTHandler default authenticate option is insecure
ReportedBy PaulHarvey
Codebase 1.1.4, 1.1.4 RC2, 1.1.4 RC1, 1.1.4 beta2, 1.1.4 beta1, 1.1.3, 1.1.3 RC1, 1.1.3 beta1, 1.1.2, 1.1.1, 1.1.0, 1.1.0 beta1, 1.0.10, 1.0.9, 1.0.8, 1.0.7, 1.0.6, 1.0.5, 1.0.5 beta1, 1.0.4, 1.0.3, 1.0.2, 1.0.1, 1.0.0, 1.0.0 beta3, 1.0.0 beta2, 1.0.0 beta1, trunk
SVN Range
AppliesTo Engine
Component FoswikiFunc, FoswikiUIRest
Priority Enhancement
CurrentState Closed
WaitingFor
Checkins distro:c97d53d3b365 distro:8003f99e6704
TargetRelease major
ReleasedIn 2.0.0
CheckinsOnBranches
trunkCheckins
Release01x01Checkins
Topic revision: r14 - 05 Jul 2015, GeorgeClark - This page was cached on 28 Jul 2016 - 22:17.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License