[Clipart] fd.o compromised because of our incoming!

Bryce Harrington bryce at bryceharrington.org
Wed Oct 19 14:32:58 PDT 2005

On Wed, Oct 19, 2005 at 05:11:44PM -0400, Nathan Eady wrote:
> Jon Phillips wrote:
> There are several possibilities I can think of here.
> 1.  Do not serve the incoming directory via the web.
>     It's convenient to be able to wget the incoming
>     files for doing the release, but it's not
>     necessary.

I updated the directions for using rsync for this; I would recommend use
of rsync over wget for this process.  In addition to being more secure,
it will be faster and will be less subject to quirks like getting
index.html files autogenerated or whatnot.

> 2.  Do not accept "other" filetypes, only the ones
>     on a very short pre-approved list.  Off the top
>     of my head the only ones we really need are .svg
>     and possibly .zip, but we also could allow .wmf
>     and .tgz with relative safety, I think.  We are
>     not doing anything useful with any other type
>     of submission, anyway.

For this to really work, it should base the detection off of internal
mimetype rather than just trust the file extension.

> 3.  Always append an extension (that will cause Apache
>     not to treat them as executable) to every accepted
>     file when placing it in the incoming directory.

Probably unnecessary if you're rigorous about doing #2.

> 4.  Configure Apache so that executables or scripts
>     or PHP or whatnot are not run from the incoming
>     directory, or the clipart directory, or other
>     such places where they do not belong.  Frankly
>     I cannot think of any very good reason to allow
>     anything other than static content outside of the
>     cgi-bin directory.  (Yeah, we currently have PHP
>     content outside of cgi-bin, notably in the document
>     root, but there's no good reason it *needs* to be
>     that way.)

> Actually, I think I'd be in favor of doing all four of
> these things, and anything else we can think of to lock
> down what the web server will automatically do without
> approval from someone with an ssh account.

5.  Restrict the characters usable in filenames to only be alphanumeric,
    plus . - _    No spaces, no extended characters, and certainly no
    shell punctuation.  E.g., ensure no one can upload 
    "foobar`; cat /etc/passwd; #.svg"

More information about the clipart mailing list