Forums / General / How to secure anonymous creation of class with file attrs?

How to secure anonymous creation of class with file attrs?

Author Message

Piotrek Karaś

Tuesday 17 April 2007 12:49:16 am

Hello,

I need to make it possible for anonymous users to create objects that would become child nodes of a given tree node, but <b>will only be accessible for administrator users</b> in the admin interface. <b>The class</b>, objects of which will be added, <b>contains a file attribute</b>. How secure is it to allow this?

Here's a list of precautions I could think of:
1) I add a privilege for the anonymous role to create function with all the limitations possible, especially telling what class and parent class the creation include, by adding a special section and so on.
2) I define a hard-to-guess object name, based on several fields, including identifier attribute that increments itself automatically.
3) I prepare overrides based on the target class' identifier, which point to some empty or 'you have no business here' templates.

Would that be enough?
Maybe there is a way to verify the file?
How secure is this idea generally?

Thanks for any suggestions.

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

André R.

Tuesday 17 April 2007 1:42:40 am

Seems prette secure, but this depends on whatever this is cv for john Shmo or top secret documents for the pentagon.
Instead of the things you suggested, you can also test a new 'restricted' section that no one except admins have access to.
Then grant anonymous user access to create a given class type under a given class type, and limit it under a specific node insidede the 'Restricted section'.

Then to let users create content:

<form name="signup" action="/content/action" method="post">
<input type="hidden" name="NodeID" value="MY_NODE_ID" />
<input type="hidden" name="ClassID" value="MY_CLASS_ID" />
<input type="hidden" name="ContentLanguageCode" value="eng-GB" />
<input type="hidden" name="NewButton" value="New" />
</form>
<a href="#" onclick="window.document.signup.submit();">Add Content</a>

Note1: You also have to grant them rights to read their own drafts++
Note2: You can change NewButton to type="submit" if you want a button instead of a javascript dependant link..

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Piotrek Karaś

Tuesday 17 April 2007 2:10:11 am

Definitely closer to CV (actually that's exactly what I am working on at the moment), than to top secret stuff :)

Still, I wouldn't like two things to happen:
- information/files to leak out,
- file to be used/executed to damage or hack the installation/server.

<i>Note1: You also have to grant them rights to read their own drafts++</i>
Why would I want that? I don't quite see this part.

Thanks for the suggestions.

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

André R.

Tuesday 17 April 2007 5:21:59 am

>Note1: You also have to grant them rights to read their own drafts++
>Why would I want that? I don't quite see this part.

They don't, my bad :)

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Piotrek Karaś

Tuesday 17 April 2007 3:47:37 pm

We found one more thing to secure to modify or add to my list (first post).

When in /content/edit situation, path informs us the actual location of the created content, and that would be fine, but it also appends the following information automatically:
Root / My structure / Location / <b>New Name of the class</b>
That would be fine in case the form is filled in correctly. If that's not the case, if validation stops us from sending the draft for publication, then we no longer get the <b>New</b> info, instead eZ is trying to guess the object name based on the information already validated:
Root / My structure / Location / <b>cv45 Name Surname</b>
So I guess there's a pretty good chance our secret of how we construct object name is revealed.

One way to deal with it is to filter path accordingly. However, it seems that the section solution would be the best one.

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

eZ debug

Timing: Jan 19 2025 20:05:55
Script start
Timing: Jan 19 2025 20:05:55
Module start 'content'
Timing: Jan 19 2025 20:05:55
Module end 'content'
Timing: Jan 19 2025 20:05:55
Script end

Main resources:

Total runtime0.6883 sec
Peak memory usage4,096.0000 KB
Database Queries200

Timing points:

CheckpointStart (sec)Duration (sec)Memory at start (KB)Memory used (KB)
Script start 0.00000.0047 589.2031180.8047
Module start 'content' 0.00470.5776 770.0078590.2109
Module end 'content' 0.58230.1059 1,360.2188341.3438
Script end 0.6882  1,701.5625 

Time accumulators:

 Accumulator Duration (sec) Duration (%) Count Average (sec)
Ini load
Load cache0.00370.5363210.0002
Check MTime0.00140.1994210.0001
Mysql Total
Database connection0.00070.099110.0007
Mysqli_queries0.613889.17922000.0031
Looping result0.00190.27361980.0000
Template Total0.660095.920.3300
Template load0.00180.264820.0009
Template processing0.658195.619620.3291
Template load and register function0.00010.016010.0001
states
state_id_array0.00160.232310.0016
state_identifier_array0.00080.123520.0004
Override
Cache load0.00160.2343460.0000
Sytem overhead
Fetch class attribute can translate value0.00130.196030.0004
Fetch class attribute name0.00110.157270.0002
XML
Image XML parsing0.00140.203830.0005
class_abstraction
Instantiating content class attribute0.00000.0026100.0000
General
dbfile0.00320.4671350.0001
String conversion0.00000.000730.0000
Note: percentages do not add up to 100% because some accumulators overlap

CSS/JS files loaded with "ezjscPacker" during request:

CacheTypePacklevelSourceFiles
CSS0extension/community/design/community/stylesheets/ext/jquery.autocomplete.css
extension/community_design/design/suncana/stylesheets/scrollbars.css
extension/community_design/design/suncana/stylesheets/tabs.css
extension/community_design/design/suncana/stylesheets/roadmap.css
extension/community_design/design/suncana/stylesheets/content.css
extension/community_design/design/suncana/stylesheets/star-rating.css
extension/community_design/design/suncana/stylesheets/syntax_and_custom_tags.css
extension/community_design/design/suncana/stylesheets/buttons.css
extension/community_design/design/suncana/stylesheets/tweetbox.css
extension/community_design/design/suncana/stylesheets/jquery.fancybox-1.3.4.css
extension/bcsmoothgallery/design/standard/stylesheets/magnific-popup.css
extension/sevenx/design/simple/stylesheets/star_rating.css
extension/sevenx/design/simple/stylesheets/libs/fontawesome/css/all.min.css
extension/sevenx/design/simple/stylesheets/main.v02.css
extension/sevenx/design/simple/stylesheets/main.v02.res.css
JS0extension/ezjscore/design/standard/lib/yui/3.17.2/build/yui/yui-min.js
extension/ezjscore/design/standard/javascript/jquery-3.7.0.min.js
extension/community_design/design/suncana/javascript/jquery.ui.core.min.js
extension/community_design/design/suncana/javascript/jquery.ui.widget.min.js
extension/community_design/design/suncana/javascript/jquery.easing.1.3.js
extension/community_design/design/suncana/javascript/jquery.ui.tabs.js
extension/community_design/design/suncana/javascript/jquery.hoverIntent.min.js
extension/community_design/design/suncana/javascript/jquery.popmenu.js
extension/community_design/design/suncana/javascript/jScrollPane.js
extension/community_design/design/suncana/javascript/jquery.mousewheel.js
extension/community_design/design/suncana/javascript/jquery.cycle.all.js
extension/sevenx/design/simple/javascript/jquery.scrollTo.js
extension/community_design/design/suncana/javascript/jquery.cookie.js
extension/community_design/design/suncana/javascript/ezstarrating_jquery.js
extension/community_design/design/suncana/javascript/jquery.initboxes.js
extension/community_design/design/suncana/javascript/app.js
extension/community_design/design/suncana/javascript/twitterwidget.js
extension/community_design/design/suncana/javascript/community.js
extension/community_design/design/suncana/javascript/roadmap.js
extension/community_design/design/suncana/javascript/ez.js
extension/community_design/design/suncana/javascript/ezshareevents.js
extension/sevenx/design/simple/javascript/main.js

Templates used to render the page:

UsageRequested templateTemplateTemplate loadedEditOverride
1node/view/full.tplfull/forum_topic.tplextension/sevenx/design/simple/override/templates/full/forum_topic.tplEdit templateOverride template
5content/datatype/view/ezimage.tpl<No override>extension/sevenx/design/simple/templates/content/datatype/view/ezimage.tplEdit templateOverride template
5content/datatype/view/ezxmltext.tpl<No override>extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tplEdit templateOverride template
11content/datatype/view/ezxmltags/paragraph.tpl<No override>extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tplEdit templateOverride template
8content/datatype/view/ezxmltags/line.tpl<No override>design/standard/templates/content/datatype/view/ezxmltags/line.tplEdit templateOverride template
1content/datatype/view/ezxmltags/literal.tpl<No override>extension/community/design/standard/templates/content/datatype/view/ezxmltags/literal.tplEdit templateOverride template
1pagelayout.tpl<No override>extension/sevenx/design/simple/templates/pagelayout.tplEdit templateOverride template
 Number of times templates used: 32
 Number of unique templates used: 7

Time used to render debug report: 0.0002 secs