Menu
▾
▴
Re: [Exist-development] [HEADS-UP] Merge in of Security Branch
|
From: Hungerburg <pc...@my...> - 2012-02-09 00:25:20
|
Am 2012-02-09 00:28, schrieb Joe Wicentowski: > > No, it's not that - I don't store usernames or passwords in XQuery > files. It's the fact that I simply have no intention of exposing the > source code of my site to guest users. My intention is to let guest > users view webpages generated by my XQuery files. In my mind the > permission to view a webpage generated by an XQuery files should be > distinct from the permission to view the XQuery source code. Joe, for you the problem only will arise, if your guests have the means of printing the source code and, if I understand you fully, if these means are readily available over the network, where a webbrowser can leach it. Billions of mod-perl, mod-php etc. programmers live in the very same situation. If for some reason the web-server is misconfigured, instead of a nice webpage the users see source code gibberish. This only rarely happens though. Is there a way, in a stock installation, apart of exide, of getting eg. /apps/myApp/controller.xql served as plain text? That would be bad indeed. The rest servlet will not do it, it will try to run the procedure, and maybe the error message will leak some secrets... If I understand Adam correctly, at the moment there is no "native executable" format in eXist (java maybe?), everything is requiring an interpreter and therefore read access. Just like you, I am a little curious, on how ACLs can solve this. Do they override unix-like permissions? -- peter |
