How to secure anonymous creation of class with file attrs?

Author Message

Piotrek Karaś

Tuesday 17 April 2007 12:49:16 am

Hello,

I need to make it possible for anonymous users to create objects that would become child nodes of a given tree node, but <b>will only be accessible for administrator users</b> in the admin interface. <b>The class</b>, objects of which will be added, <b>contains a file attribute</b>. How secure is it to allow this?

Here's a list of precautions I could think of:
1) I add a privilege for the anonymous role to create function with all the limitations possible, especially telling what class and parent class the creation include, by adding a special section and so on.
2) I define a hard-to-guess object name, based on several fields, including identifier attribute that increments itself automatically.
3) I prepare overrides based on the target class' identifier, which point to some empty or 'you have no business here' templates.

Would that be enough?
Maybe there is a way to verify the file?
How secure is this idea generally?

Thanks for any suggestions.

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

André R.

Tuesday 17 April 2007 1:42:40 am

Seems prette secure, but this depends on whatever this is cv for john Shmo or top secret documents for the pentagon.
Instead of the things you suggested, you can also test a new 'restricted' section that no one except admins have access to.
Then grant anonymous user access to create a given class type under a given class type, and limit it under a specific node insidede the 'Restricted section'.

Then to let users create content:

<form name="signup" action="/content/action" method="post">
<input type="hidden" name="NodeID" value="MY_NODE_ID" />
<input type="hidden" name="ClassID" value="MY_CLASS_ID" />
<input type="hidden" name="ContentLanguageCode" value="eng-GB" />
<input type="hidden" name="NewButton" value="New" />
</form>
<a href="#" onclick="window.document.signup.submit();">Add Content</a>

Note1: You also have to grant them rights to read their own drafts++
Note2: You can change NewButton to type="submit" if you want a button instead of a javascript dependant link..

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Piotrek Karaś

Tuesday 17 April 2007 2:10:11 am

Definitely closer to CV (actually that's exactly what I am working on at the moment), than to top secret stuff :)

Still, I wouldn't like two things to happen:
- information/files to leak out,
- file to be used/executed to damage or hack the installation/server.

<i>Note1: You also have to grant them rights to read their own drafts++</i>
Why would I want that? I don't quite see this part.

Thanks for the suggestions.

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

André R.

Tuesday 17 April 2007 5:21:59 am

>Note1: You also have to grant them rights to read their own drafts++
>Why would I want that? I don't quite see this part.

They don't, my bad :)

eZ Online Editor 5: http://projects.ez.no/ezoe || eZJSCore (Ajax): http://projects.ez.no/ezjscore || eZ Publish EE http://ez.no/eZPublish/eZ-Publish-Enterprise-Subscription
@: http://twitter.com/andrerom

Piotrek Karaś

Tuesday 17 April 2007 3:47:37 pm

We found one more thing to secure to modify or add to my list (first post).

When in /content/edit situation, path informs us the actual location of the created content, and that would be fine, but it also appends the following information automatically:
Root / My structure / Location / <b>New Name of the class</b>
That would be fine in case the form is filled in correctly. If that's not the case, if validation stops us from sending the draft for publication, then we no longer get the <b>New</b> info, instead eZ is trying to guess the object name based on the information already validated:
Root / My structure / Location / <b>cv45 Name Surname</b>
So I guess there's a pretty good chance our secret of how we construct object name is revealed.

One way to deal with it is to filter path accordingly. However, it seems that the section solution would be the best one.

--
Company: mediaSELF Sp. z o.o., http://www.mediaself.pl
eZ references: http://ez.no/partners/worldwide_partners/mediaself
eZ certified developer: http://ez.no/certification/verify/272585
eZ blog: http://ez.ryba.eu

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.

eZ debug

Timing: Jan 18 2025 22:31:44
Script start
Timing: Jan 18 2025 22:31:44
Module start 'layout'
Timing: Jan 18 2025 22:31:44
Module start 'content'
Timing: Jan 18 2025 22:31:44
Module end 'content'
Timing: Jan 18 2025 22:31:44
Script end

Main resources:

Total runtime0.0176 sec
Peak memory usage2,048.0000 KB
Database Queries3

Timing points:

CheckpointStart (sec)Duration (sec)Memory at start (KB)Memory used (KB)
Script start 0.00000.0061 589.2813152.6563
Module start 'layout' 0.00610.0032 741.937539.5078
Module start 'content' 0.00930.0065 781.445397.4922
Module end 'content' 0.01580.0018 878.937542.3047
Script end 0.0176  921.2422 

Time accumulators:

 Accumulator Duration (sec) Duration (%) Count Average (sec)
Ini load
Load cache0.002514.3889140.0002
Check MTime0.00116.2608140.0001
Mysql Total
Database connection0.00074.137810.0007
Mysqli_queries0.002916.181830.0010
Looping result0.00000.097410.0000
Template Total0.00158.210.0015
Template load0.00084.420610.0008
Template processing0.00073.796810.0007
Override
Cache load0.00052.974110.0005
General
dbfile0.00147.738480.0002
String conversion0.00000.060940.0000
Note: percentages do not add up to 100% because some accumulators overlap

Templates used to render the page:

UsageRequested templateTemplateTemplate loadedEditOverride
1print_pagelayout.tpl<No override>extension/community/design/community/templates/print_pagelayout.tplEdit templateOverride template
 Number of times templates used: 1
 Number of unique templates used: 1

Time used to render debug report: 0.0002 secs