From: Till K. <kin...@gm...> - 2009-07-22 15:28:34
|
Demian Katz schrieb: > As I see it, there are two basic approaches to this: > > 1.) Sanitize the data as it comes in -- as Till did in his patch. That was just a "fix as quick and easy as possible" solution. I am even not sure, if that is enough or a correct approach, because I don't know much of all these XSS issues and how to avoid them. So I don't recommend using that! > Personally, I prefer approach #2 -- I feel it's a little more > predictable. I don't think it's more predictable. Predictable is approach #1: Everything cleaned out is lost in any further step. So no interference with anything :-) But approach #2 allows "fine grain" control of what is sanitized where for what kind of use. Eg. before sending user input to Solr there is some cleaning needed as well, though the Dismax handler is much more forgiving than the standard handler. There are already some code fragments doing such sanitation (but only in regard to Solr), eg. cleanInput() in sys/Solr.php (in earlier times it was scattered over services/Search/Home.php). > I'm > willing to take a stab at closing up the holes in this manner, Great! > Is there any consensus on this issue? I can live with both approaches. If taking #2, it's worth thinking about some kind of "central cleaning service" that may be called from all points in VuFind if needed (I guess that was one intention behind moving sanitation code from Home.php to Solr.php), so we have one defined place to handle those things. Otherwise you end up with different implementations of cleaning mechanisms, but none of them perfect and well maintained. Maybe it's a good start to think about, where user input is used and needs to be treated. First things on my mind are: Data display, Solr, MySQL (though the database interface should care for cleanliness there). There are no critical eval(), system()-, exec()-, fopen(), passthru(), ...-calls to the operating system, file system or sockets, are there? Till -- http://twitter.com/tillk |