[josm-dev] Mandatory login for JOSM wiki
Dirk Stöcker
openstreetmap at dstoecker.de
Sun Feb 27 11:47:17 GMT 2011
On Sun, 27 Feb 2011, Frederik Ramm wrote:
>> Well, you assume that OSM-SVN is much better than external plugins.
>
> In OSM SVN, if someone uploads malicious code, at least we know who it was.
> We can block the account. They will have difficulty repeating that.
>
> As things are with JOSM trac, someone can change the address and version of a
> popular plugin to his malicious code, and the malicious plugin will
> automatically find its way onto the harddisks of JOSM users everywhere. And
No. He can't. He only can add a new one with a new name.
You should take a look again at what was written previously. The wiki
interface allows you add stuff. But this is not the interface which is
accessed by JOSM. JOSM accesses an compiled interface, which is created by
internal cron job. You can't overwrite the SVN-plugin links in a magic way
(if you can, then the cron job would be buggy and needs to be fixed).
> This is not new - I know that. But it is a change that came gradually and
> nobody ever raised a warning. In the beginning we just had a plugin list that
> people could look at, and click on a link to download something. Later we
> parsed the list automatically, and now we're even doing so in regular
> intervals. In my eyes this is asking for trouble, and a security policy of
No. We don't do that. There is an important abstraction layer between the
Wiki and JOSM input data. I didn't introduce that because it thought I
need to change anything, but because I wanted to take away the chance to
do exactly what you propose here could be done.
As said - The time that JOSM parsed Wiki pages is long gone - except for
start page and help - which are only displayed in a limited web-display
(i.e. no javascript, ...), not parsed.
>> So the same for plugins. Our open policy caused a lot of plugins
>> introducing new features and attracted new developers. I don't want to
>> change this without a real reason.
>
> Yeah, let's not get too distracted. This is not about stricter rules. It's
> just about making sure that if config changes are made that affect JOSM
> users, these config changes should not come from anonymous users. Or else, if
> we don't want to do that, then we must at least invent something that shields
> JOSM users from it - say, have a default mode in JOSM that is "only accept
> configuration updates from registered JOSM contributors" vs. "accept
> anonymous configuration updates from everyone", with the default being option
> 1.
Again I assume that this written with the idea behind, that anybody can
directly influence the data JOSM gets. This is not possible. You always
have to pass through validity checks. There are leaks there as well, but
they are much harder to explore than a simple "Edit the wiki".
The JOSM server cron can introduce a lot of additional checks in future to
prevent certain types of attacks when the need arises. One reason why the
server code is not public is that I want to prevent code analysis for
potential security issues. I know "security by obscurity" does not work,
but it at least increases the workload for the attacker and most tries to
fiddle around with issues therein would cause a lot of logs to pop up in
my mailbox.
Ciao
--
http://www.dstoecker.eu/ (PGP key available)
More information about the josm-dev
mailing list