filesystem security (was: Idea Incubator - javax imageio Imag eReader)

> > > Try it: I think that Jochem's point is that CFHTTP won't allow you to use file paths. On the other hand, a COM interface to IE would probably allow you to do such a thing, just like you can use file paths in IE on your desktop, in addition to regular URLs. > Also, even if what you described actually worked - why > wouldn't I just do cffile?? Because (I'm sure) Jochem has used Advanced Security sandboxes to prevent use of CFFILE from one customer's site to another. However, he probably doesn't want to vet every external object's code for security if he can avoid it. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444

> > I think that Jochem's point is that CFHTTP won't allow you to > use file paths. On the other hand, a COM interface to IE > would probably allow you to do such a thing, just like you > can use file paths in IE on your desktop, in addition to regular URLs. I grok this. But darnit, we weren't talking about that. If you want to talk security and COM, fine. I was talking about a web thunbnail generator. That's what is bugging me. His original posts made it seem like the idea of generating a thumbnail of a URL was insecure. It's not. Or perhaps I'm being too anal now. ;) ======================================================================= Raymond Camden, ColdFusion Jedi Master for Macromedia Email    : jedimaster@macromedia.com Yahoo IM : morpheus "My ally is the Force, and a powerful ally it is." - Yoda

> I grok this. But darnit, we weren't talking about that. > If you want to talk security and COM, fine. I was talking > about a web thunbnail generator. That's what is bugging > me. His original posts made it seem like the idea of > generating a thumbnail of a URL was insecure. It's not. The idea may not be insecure, but the implementation may very well be. Given similar things I've seen implemented using the IE interface, for example, his concern seems pretty on-target, since by automating IE you could very easily get to the filesystem and bypass your normal checks against such stuff. The fact is, browsers often have security issues, and what you're talking about - a web thumbnail generator - is, in effect, a browser - one that's running on your server. Personally, I don't know about you, but I wouldn't generally recommend the use of IE from a server console to browse a public internet site. CFHTTP, on the other hand, really doesn't pose the same sorts of risks, because it doesn't render anything - it just fetches. > Or perhaps I'm being too anal now. ;) You do seem to be a very, very angry man. Perhaps because of your name in lights? http://www.uncom.com/cfmx Yuk, yuk, yuk. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444

> The idea may not be insecure, but the implementation may very > well be. Given similar things I've seen implemented using the > IE interface, for example, his concern seems pretty > on-target, since by automating IE you could very easily get Well, I still say that I never once mentioned making an instance of IE. But now I'm being defensive. ;) > > Or perhaps I'm being too anal now. ;) > > You do seem to be a very, very angry man. Perhaps because of > your name in lights? http://www.uncom.com/cfmx > Hmm, I don't know who this jedimaster person is - but when I find him - I'm going to pound him! ======================================================================= Raymond Camden, ColdFusion Jedi Master for Macromedia Email    : jedimaster@macromedia.com Yahoo IM : morpheus "My ally is the Force, and a powerful ally it is." - Yoda

> You do seem to be a very, very angry man. Perhaps because of > > your name in lights? http://www.uncom.com/cfmx > > > >Hmm, I don't know who this jedimaster person is - but when I find him - >I'm going to pound him! Silly Jedi...!

I think this brings up interesting security issues for virtual hosting companies. In this case, accessing files with IE would be done using the application server's user. Thus enabling all of the virtual users to see each other's files since there is only a single application server. Matt Liotta President & CEO Montara Software, Inc. http://www.montarasoftware.com/ V: 415-577-8070 F: 415-341-8906 P: 4155778070@messaging.sprintpcs.com javax.imageio.Imag example, > his concern seems pretty on-target, since by automating IE you could very > easily get to the filesystem and bypass your normal checks against such > stuff. The fact is, browsers often have security issues, and what you're > talking about - a web thumbnail generator - is, in effect, a browser - one > that's running on your server. Personally, I don't know about you, but I > wouldn't generally recommend the use of IE from a server console to browse > a > public internet site. CFHTTP, on the other hand, really doesn't pose the > same sorts of risks, because it doesn't render anything - it just fetches. > > > Or perhaps I'm being too anal now. ;) > > You do seem to be a very, very angry man. Perhaps because of your name in

Dave Watts wrote: Thank you Dave. That says it much better than I did. Jochem

> > The idea may not be insecure, but the implementation may very That's just an example. To build a web thumbnail generator, you need to build something very close to a fully functional browser - it has to be able to fetch HTML and images, and render them to some context. I've seen examples that used IE for this, but they could use other engines (say, Mozilla, perhaps) or provide their own engine. But it really doesn't matter, as long as they provide the same sort of functionality as a browser they're going to be subject to the same flaws as a browser. In any case, given the complexity of developing a complete browser, I'd guess that most people faced with the task of developing a web thumbnail generator would start with existing browser components rather than writing the whole damn thing from scratch. > Hmm, I don't know who this jedimaster person is - but when I > find him - I'm going to pound him! Give him the supreme whopper! Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444

> I think this brings up interesting security issues for > virtual hosting companies. In this case, accessing files > with IE would be done using the application server's user. > Thus enabling all of the virtual users to see each other's > files since there is only a single application server. Well, personally, I've always thought that secure shared hosting was always pretty much a lost cause. I think that the only reasonably safe approach is to use virtual machines - something like VMware's GSX server, for example. While Jochem's setup is probably safe enough for most people, I doubt that many shared hosting providers go to that extreme. It just seems like too much trouble to me, but maybe I'm just too lazy. And when you start using CF in virtual machines, I suspect you might need one license for each VM, which might be a bit expensive. I do remember the "old days", though, when a web server administrator was expected to read every CGI script to ensure that it didn't do anything bad. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444

>And when you start using CF in virtual machines, I suspect you might need one license for each VM, >which might be a bit expensive. What, you can't just run CFMX in virtual distributed mode? ;-)  Just kidding.... ~Todd Todd Rafferty (todd@web-rat.com) http://www.web-rat.com/ Team Macromedia Volunteer for ColdFusion http://www.macromedia.com/support/forums/team_macromedia/ Moderator @ FlashCFM.com - http://www.flashCFM.com/ Back-end Moderator @ Ultrashock.com - http://www.ultrashock.com/

I certainly agree and have stated so in other threads. The virtual machine image concept is finally starting to go somewhere. It is now possible to easily host many different Linux images on the same hardware. IBM also offers this kind of setup on its mainframes. Although, the costs of hardware are making this setup less cost effective. For example, RLX makes a blade chassis that can accommodate 24 blades in 3 U of space. With each blade costing around $1500 a piece, a rack full of blades is a much better deal than a mainframe. Matt Liotta President & CEO Montara Software, Inc. http://www.montarasoftware.com/ V: 415-577-8070 F: 415-341-8906 P: 4155778070@messaging.sprintpcs.com javax.imageio.Imag approach > is > to use virtual machines - something like VMware's GSX server, for example. > While Jochem's setup is probably safe enough for most people, I doubt that > many shared hosting providers go to that extreme. It just seems like too > much trouble to me, but maybe I'm just too lazy. And when you start using > CF > in virtual machines, I suspect you might need one license for each VM, > which > might be a bit expensive. > > I do remember the "old days", though, when a web server administrator was

Holy s$%# Batman!  did Dave and Matt just agree!?

We always agree... we just pretend like we at each other's throats for the entertainment of the list. Matt Liotta President & CEO Montara Software, Inc. http://www.montarasoftware.com/ V: 415-577-8070 F: 415-341-8906 P: 4155778070@messaging.sprintpcs.com javax.imageio.Imag accommodate > >>24 blades in 3 U of space. With each blade costing around $1500 a piece, was doubt > >>that > >>> many shared hosting providers go to that extreme. It just seems like > >>too > >>> much trouble to me, but maybe I'm just too lazy. And when you start VM, administrator > >>was > >>> expected to read every CGI script to ensure that it didn't do anything

Well then, thank you both...as the show is always a great.  

it's such a good show, we all learn by osmosis!

Yes, but has anybody ever seen Matt and Dave in the same room together, hmmm? Jeff javax.imageio.Imag eReader) We always agree... we just pretend like we at each other's throats for the entertainment of the list. Matt Liotta President & CEO Montara Software, Inc. http://www.montarasoftware.com/ V: 415-577-8070 F: 415-341-8906 P: 4155778070@messaging.sprintpcs.com javax.imageio.Imag accommodate > >>24 blades in 3 U of space. With each blade costing around $1500 a piece, was doubt > >>that > >>> many shared hosting providers go to that extreme. It just seems like > >>too > >>> much trouble to me, but maybe I'm just too lazy. And when you start VM, administrator > >>was > >>> expected to read every CGI script to ensure that it didn't do anything

Sarsoun, Jeff wrote: > Yes, but has anybody ever seen Matt and Dave in the same room together, > hmmm? Are you suggesting they are one and the same person with multiple personalities? Jochem

There is documented proof that we are different people. We both gave presentations on the same day at 2001: A CF Odyssey. He gave a presentation on securing IIS. Then I gave a presentation on CF and Linux and used many of his presentation's points to make a case for Linux. Matt Liotta President & CEO Montara Software, Inc. http://www.montarasoftware.com/ V: 415-577-8070 F: 415-341-8906 P: 4155778070@messaging.sprintpcs.com javax.imageio.Imag > eReader) > > Yes, but has anybody ever seen Matt and Dave in the same room together, now for each