Menu
▾
▴
exist-development
|
From: Loren C. <lor...@gm...> - 2010-03-23 21:22:18
|
There is also another extension besides "gate" that needs renaming. We also need a name for lib. extensions/build.properties ================== # TODO: explain what this is # The name is not descriptive. # It should be changed. I know Gev has left this for us to decide, but ... # Lib module include.module.lib = false What does this do? What would be a better name for it? Loren |
|
From: Evgeny G. <gaz...@gm...> - 2010-03-23 21:29:50
|
this module have a couple functions: 1) lib:get-info($name) is returns the info (name, size) of any file in $EXIST_HOME or $EXIST_HOME/lib folder 2) lib:get($name) is returns the file Module is used in jnlp webapp (see $EXIST_HOME/webapp/jnlp) ------- Evgeny |
|
From: Joe W. <jo...@gm...> - 2010-03-23 22:01:12
|
Evgeny, Sounds very much like a file module set of functions. Can you elaborate why you chose to put these 2 functions in a separate module instead of alongside the file module? Joe On Tue, Mar 23, 2010 at 5:29 PM, Evgeny Gazdovsky <gaz...@gm...> wrote: > this module have a couple functions: > > 1) lib:get-info($name) is returns the info (name, size) of any file in > $EXIST_HOME or $EXIST_HOME/lib folder > 2) lib:get($name) is returns the file > > Module is used in jnlp webapp (see $EXIST_HOME/webapp/jnlp) > > ------- > Evgeny |
|
From: Evgeny G. <gaz...@gm...> - 2010-03-23 22:31:10
|
> Sounds very much like a file module set of functions. Can you
> elaborate why you chose to put these 2 functions in a separate module
> instead of alongside the file module?
>
> Joe
File module have more common functional and so only DBA have access.
In my module I automate searching files in eXist's libs folders
by names, not by path.
Example lib:get-info("commons-util-%latest%.jar")
This functional is like the JnlpServlet, but more flex.
-------
Evgeny
|
|
From: Joe W. <jo...@gm...> - 2010-03-24 00:53:06
|
Evgeny,
> File module have more common functional and so only DBA have access.
> In my module I automate searching files in eXist's libs folders
> by names, not by path.
> Example lib:get-info("commons-util-%latest%.jar")
> This functional is like the JnlpServlet, but more flex.
Thanks, I understand now. I just rebuilt to check this out and look
at the function documentation, which is a helpful start. For others
who haven't, here is an example:
input:
lib:get-lib-info('commons-util-%latest%.jar')
output:
<lib name="ws-commons-util-1.0.2.jar" size="34407"
modified="2010-01-22T20:51:33-05:00"/>
Some requests for the module's xqdocs:
1. Could you be a little more specific and descriptive about the
allowed values (and allowed wildcards) for $name?
2. Can you specify the XML format of the return value (even providing
an example)?
3. Can you confirm this is only for *.jar files, and add that it's
only for EXIST_HOME and EXIST_HOME/lib?
Thanks,
Joe
|
|
From: Evgeny G. <gaz...@gm...> - 2010-03-24 07:40:26
|
> Thanks, I understand now. I just rebuilt to check this out and look
> at the function documentation, which is a helpful start. For others
> who haven't, here is an example:
>
> input:
> lib:get-lib-info('commons-util-%latest%.jar')
>
> output:
> <lib name="ws-commons-util-1.0.2.jar" size="34407"
> modified="2010-01-22T20:51:33-05:00"/>
>
> Some requests for the module's xqdocs:
>
> 1. Could you be a little more specific and descriptive about the
> allowed values (and allowed wildcards) for $name?
>
Allowed values and wildcards is same as for
"org.exist.start.LatestFileResolver" class
(As I'm see one can work for any types, but in comments used "jar" term only).
> 2. Can you specify the XML format of the return value (even providing
> an example)?
>
<lib name="resolved-lib-name" size="lib-size" modified="last-modified-time"/>
this is all attributes
> 3. Can you confirm this is only for *.jar files, and add that it's
> only for EXIST_HOME and EXIST_HOME/lib?
>
Not this must worn for all file types.
Yes only for EXIST_HOME and EXIST_HOME/lib
or webapp/WEB-INF/lib if eXist is work as war webapp
in tomcat environment, for exapmle
----------
Evgeny
|
|
From: Joe W. <jo...@gm...> - 2010-03-24 11:57:46
|
Hi Evgeny, Thanks for the helpful answers. Can you add this info to the function's xqdocs? Joe >> Some requests for the module's xqdocs: >> >> 1. Could you be a little more specific and descriptive about the >> allowed values (and allowed wildcards) for $name? >> > Allowed values and wildcards is same as for > "org.exist.start.LatestFileResolver" class > (As I'm see one can work for any types, but in comments used "jar" term only). > >> 2. Can you specify the XML format of the return value (even providing >> an example)? >> > <lib name="resolved-lib-name" size="lib-size" modified="last-modified-time"/> > this is all attributes > >> 3. Can you confirm this is only for *.jar files, and add that it's >> only for EXIST_HOME and EXIST_HOME/lib? >> > Not this must worn for all file types. > Yes only for EXIST_HOME and EXIST_HOME/lib > or webapp/WEB-INF/lib if eXist is work as war webapp > in tomcat environment, for exapmle |
|
From: Evgeny G. <gaz...@gm...> - 2010-03-24 12:03:36
|
> Thanks for the helpful answers. Can you add this info to the function's xqdocs? > Yes I can |
|
From: Loren C. <lor...@gm...> - 2010-03-24 02:20:04
|
I suggest that these functions be moved to the system function module. These two functions are small enough and they seem like something that could belong into the system function module.
Loren
On Mar 23, 2010, at 07:52 PM, Joe Wicentowski wrote:
> Evgeny,
>
>> File module have more common functional and so only DBA have access.
>> In my module I automate searching files in eXist's libs folders
>> by names, not by path.
>> Example lib:get-info("commons-util-%latest%.jar")
>> This functional is like the JnlpServlet, but more flex.
>
> Thanks, I understand now. I just rebuilt to check this out and look
> at the function documentation, which is a helpful start. For others
> who haven't, here is an example:
>
> input:
> lib:get-lib-info('commons-util-%latest%.jar')
>
> output:
> <lib name="ws-commons-util-1.0.2.jar" size="34407"
> modified="2010-01-22T20:51:33-05:00"/>
>
> Some requests for the module's xqdocs:
>
> 1. Could you be a little more specific and descriptive about the
> allowed values (and allowed wildcards) for $name?
>
> 2. Can you specify the XML format of the return value (even providing
> an example)?
>
> 3. Can you confirm this is only for *.jar files, and add that it's
> only for EXIST_HOME and EXIST_HOME/lib?
>
> Thanks,
> Joe
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Exist-development mailing list
> Exi...@li...
> https://lists.sourceforge.net/lists/listinfo/exist-development
|
|
From: Evgeny G. <gaz...@gm...> - 2010-03-24 07:43:25
|
> I suggest that these functions be moved to the system function module. These two functions are small enough and they seem like something that could belong into the system function module. > Agree. At first I wanted to do too ---------- Evgeny |
|
From: Dmitriy S. <sha...@gm...> - 2010-03-24 06:19:41
Attachments:
smime.p7s
|
+1 to move it to system module
On Tue, 2010-03-23 at 21:19 -0500, Loren Cahlander wrote:
> I suggest that these functions be moved to the system function module. These two functions are small enough and they seem like something that could belong into the system function module.
>
> Loren
>
> On Mar 23, 2010, at 07:52 PM, Joe Wicentowski wrote:
>
> > Evgeny,
> >
> >> File module have more common functional and so only DBA have access.
> >> In my module I automate searching files in eXist's libs folders
> >> by names, not by path.
> >> Example lib:get-info("commons-util-%latest%.jar")
> >> This functional is like the JnlpServlet, but more flex.
> >
> > Thanks, I understand now. I just rebuilt to check this out and look
> > at the function documentation, which is a helpful start. For others
> > who haven't, here is an example:
> >
> > input:
> > lib:get-lib-info('commons-util-%latest%.jar')
> >
> > output:
> > <lib name="ws-commons-util-1.0.2.jar" size="34407"
> > modified="2010-01-22T20:51:33-05:00"/>
> >
> > Some requests for the module's xqdocs:
> >
> > 1. Could you be a little more specific and descriptive about the
> > allowed values (and allowed wildcards) for $name?
> >
> > 2. Can you specify the XML format of the return value (even providing
> > an example)?
> >
> > 3. Can you confirm this is only for *.jar files, and add that it's
> > only for EXIST_HOME and EXIST_HOME/lib?
> >
> > Thanks,
> > Joe
> >
> > ------------------------------------------------------------------------------
> > Download Intel® Parallel Studio Eval
> > Try the new software tools for yourself. Speed compiling, find bugs
> > proactively, and fine-tune applications for parallel performance.
> > See why Intel Parallel Studio got high marks during beta.
> > http://p.sf.net/sfu/intel-sw-dev
> > _______________________________________________
> > Exist-development mailing list
> > Exi...@li...
> > https://lists.sourceforge.net/lists/listinfo/exist-development
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Exist-development mailing list
> Exi...@li...
> https://lists.sourceforge.net/lists/listinfo/exist-development
--
Cheers,
Dmitriy Shabanov
|
|
From: Wolfgang M. <wol...@ex...> - 2010-03-24 18:00:36
|
Evgeny, shouldn't those functions be limited to a dba user? Allowing guest to download any jar file from certain eXist directories seems to be a security issue. Wolfgang |
|
From: James F. <jam...@gm...> - 2010-03-24 18:02:42
|
On Wed, Mar 24, 2010 at 7:00 PM, Wolfgang Meier <wol...@ex...> wrote: > Evgeny, > > shouldn't those functions be limited to a dba user? Allowing guest to > download any jar file from certain eXist directories seems to be a > security issue. +1 to Wolfgang's suggestion J |
|
From: Dannes W. <da...@ex...> - 2010-03-24 18:07:37
|
I mentioned this before this week, but ignored. D. On Wed, Mar 24, 2010 at 7:02 PM, James Fuller <jam...@gm...> wrote: > On Wed, Mar 24, 2010 at 7:00 PM, Wolfgang Meier <wol...@ex...> wrote: >> Evgeny, >> >> shouldn't those functions be limited to a dba user? Allowing guest to >> download any jar file from certain eXist directories seems to be a >> security issue. > > +1 to Wolfgang's suggestion > > J > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Exist-development mailing list > Exi...@li... > https://lists.sourceforge.net/lists/listinfo/exist-development > -- eXist-db Native XML Database - http://exist-db.org Join us on linked-in: http://www.linkedin.com/groups?gid=35624 |
|
From: Dannes W. <da...@ex...> - 2010-03-24 18:08:41
|
big -1 for me. There is no coherence withthe other system modules. very pity to see that no core-team member was consulted on this. and implemented. -1 On Wed, Mar 24, 2010 at 7:17 AM, Dmitriy Shabanov <sha...@gm...> wrote: > +1 to move it to system module -- eXist-db Native XML Database - http://exist-db.org Join us on linked-in: http://www.linkedin.com/groups?gid=35624 |
|
From: Loren C. <lor...@gm...> - 2010-03-24 18:19:08
|
It could be moved to the file module and make the access by DBA configurable or even specify which groups can access. If someone would like, the access can even be granted to guest group in a configuration.
The current code that accesses the file module functions has a check in each function to see if the user is a DBA or not.
if (!context.getUser().hasDbaRole()) {
XPathException xPathException = new XPathException(this, "Permission denied, calling user '" + context.getUser().getName() + "' must be a DBA to call this function.");
logger.error("Invalid user", xPathException);
throw xPathException;
}
Loren
On Mar 24, 2010, at 01:08 PM, Dannes Wessels wrote:
> big -1 for me. There is no coherence withthe other system modules.
>
> very pity to see that no core-team member was consulted on this. and
> implemented.
>
> -1
>
>
> On Wed, Mar 24, 2010 at 7:17 AM, Dmitriy Shabanov <sha...@gm...> wrote:
>> +1 to move it to system module
>
>
> --
> eXist-db Native XML Database - http://exist-db.org
> Join us on linked-in: http://www.linkedin.com/groups?gid=35624
|
|
From: Leif-Jöran O. <lj...@ex...> - 2010-03-24 18:13:25
Attachments:
smime.p7s
|
Den 2010-03-24 19:02, James Fuller skrev: > On Wed, Mar 24, 2010 at 7:00 PM, Wolfgang Meier <wol...@ex...> wrote: >> Evgeny, >> >> shouldn't those functions be limited to a dba user? Allowing guest to >> download any jar file from certain eXist directories seems to be a >> security issue. > > +1 to Wolfgang's suggestion +1 Which, if I undertand it correctly, also means one of its main incentives is void. Making this more like a remove decision. |
|
From: Wolfgang M. <wol...@ex...> - 2010-03-24 18:19:57
|
> Which, if I undertand it correctly, also means one of its main > incentives is void. Making this more like a remove decision. Well, as I understand it, Evgeny primarily needs the lib module for his gate extension. Evgeny, could you find a way to secure the lib module while keeping the gate functionality (even though the latter is not directly related to eXist, I see the benefits it will have as an example for users)? Wolfgang |
|
From: Leif-Jöran O. <lj...@ex...> - 2010-03-24 18:25:05
Attachments:
smime.p7s
|
Den 2010-03-24 19:19, Wolfgang Meier skrev: >> Which, if I undertand it correctly, also means one of its main >> incentives is void. Making this more like a remove decision. > > Well, as I understand it, Evgeny primarily needs the lib module for > his gate extension. Yes, but if I remember correctly the argument against simply using the file module was dba only. |
|
From: Dmitriy S. <sha...@gm...> - 2010-03-24 18:25:44
Attachments:
smime.p7s
|
On Wed, 2010-03-24 at 19:00 +0100, Wolfgang Meier wrote: > shouldn't those functions be limited to a dba user? Allowing guest to > download any jar file from certain eXist directories seems to be a > security issue. Do we speak about LibFunction? I don't see any security issue there, or I'm missing something? Any scenario? It quite hard-coded staff at the end. -- Cheers, Dmitriy Shabanov |
|
From: Dmitriy S. <sha...@gm...> - 2010-03-24 18:33:42
Attachments:
smime.p7s
|
On Wed, 2010-03-24 at 23:24 +0500, Dmitriy Shabanov wrote: > On Wed, 2010-03-24 at 19:00 +0100, Wolfgang Meier wrote: > > shouldn't those functions be limited to a dba user? Allowing guest to > > download any jar file from certain eXist directories seems to be a > > security issue. > > Do we speak about LibFunction? I don't see any security issue there, or > I'm missing something? > > Any scenario? > > It quite hard-coded staff at the end. > As example, oXygen can use it to dynamic get eXist's jars and/or check versions. Plus list: - it fully controlled by code, no dynamic file names allow. - read only operations If I did miss something in code, please point it to me, I don't see any danger here. If kernel version is security hole, I should unplug my self right now. -- Cheers, Dmitriy Shabanov |
|
From: James F. <jam...@gm...> - 2010-03-24 18:39:23
|
Can someone point me to the unit tests for this functionality ... perhaps we can use testing to discover (and assert) just how safe this thing is ... I know we have talked before about unit tests ... my feeling is at a minimum everything core should get acceptance only if source comes with unit tests; whilst this wont guarantee anything it is always a good place to start. J On Wed, Mar 24, 2010 at 7:31 PM, Dmitriy Shabanov <sha...@gm...> wrote: > On Wed, 2010-03-24 at 23:24 +0500, Dmitriy Shabanov wrote: >> On Wed, 2010-03-24 at 19:00 +0100, Wolfgang Meier wrote: >> > shouldn't those functions be limited to a dba user? Allowing guest to >> > download any jar file from certain eXist directories seems to be a >> > security issue. >> >> Do we speak about LibFunction? I don't see any security issue there, or >> I'm missing something? >> >> Any scenario? >> >> It quite hard-coded staff at the end. >> > > As example, oXygen can use it to dynamic get eXist's jars and/or check > versions. > > Plus list: > - it fully controlled by code, no dynamic file names allow. > - read only operations > > If I did miss something in code, please point it to me, I don't see any > danger here. If kernel version is security hole, I should unplug my self > right now. > > -- > Cheers, > > Dmitriy Shabanov > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Exist-development mailing list > Exi...@li... > https://lists.sourceforge.net/lists/listinfo/exist-development > > |
|
From: Dannes W. <da...@ex...> - 2010-03-24 18:46:36
|
Hi, On Wed, Mar 24, 2010 at 7:23 PM, Dmitriy Shabanov <sha...@gm...> wrote: > Do we speak about LibFunction? I don't see any security issue there, or > I'm missing something? > Any scenario? The issue is fundamentally. A jar library is specified by a query, that can live anywhere, even oustide the db. Basically all jar files can be specified, including those who you might not want to expose, e.g. private libraries. D. -- eXist-db Native XML Database - http://exist-db.org Join us on linked-in: http://www.linkedin.com/groups?gid=35624 |
|
From: Dmitriy S. <sha...@gm...> - 2010-03-24 18:55:19
Attachments:
smime.p7s
|
Hey,
On Wed, 2010-03-24 at 19:46 +0100, Dannes Wessels wrote:
> On Wed, Mar 24, 2010 at 7:23 PM, Dmitriy Shabanov <sha...@gm...> wrote:
> > Do we speak about LibFunction? I don't see any security issue there, or
> > I'm missing something?
>
> > Any scenario?
>
> The issue is fundamentally. A jar library is specified by a query,
> that can live anywhere, even oustide the db. Basically all jar files
> can be specified,
> including those who you might not want to expose, e.g. private
> libraries.
ok, for now it hard-coded to
private final static String LIB_WEBINF = "WEB-INF/lib/";
private final static String[] LIB = {"./lib/core",
"./lib/optional", "./lib/extensions", "./lib/user", "."};
so, simples solution hardcode it jars mask like log4j-%latest%.jar too
(src/org/exist/start/start.config can be used/reused)
Will it solve this problem?
--
Cheers,
Dmitriy Shabanov
|
|
From: Dannes W. <da...@ex...> - 2010-03-24 18:57:09
|
Hi,
On Wed, Mar 24, 2010 at 7:53 PM, Dmitriy Shabanov <sha...@gm...> wrote:
> ok, for now it hard-coded to
>
> private final static String LIB_WEBINF = "WEB-INF/lib/";
> private final static String[] LIB = {"./lib/core",
> "./lib/optional", "./lib/extensions", "./lib/user", "."};
>
> so, simples solution hardcode it jars mask like log4j-%latest%.jar too
> (src/org/exist/start/start.config can be used/reused)
>
> Will it solve this problem?
No. I put my personal jars in lib/user, these should NEVER be exposed.
furthermore the classpath is not complete.
D.
--
eXist-db Native XML Database - http://exist-db.org
Join us on linked-in: http://www.linkedin.com/groups?gid=35624
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X