[josm-dev] Mandatory login for JOSM wiki

Dirk Stöcker openstreetmap at dstoecker.de
Sun Feb 27 11:47:17 GMT 2011


On Sun, 27 Feb 2011, Frederik Ramm wrote:

>>  Well, you assume that OSM-SVN is much better than external plugins.
>
> In OSM SVN, if someone uploads malicious code, at least we know who it was. 
> We can block the account. They will have difficulty repeating that.
>
> As things are with JOSM trac, someone can change the address and version of a 
> popular plugin to his malicious code, and the malicious plugin will 
> automatically find its way onto the harddisks of JOSM users everywhere. And

No. He can't. He only can add a new one with a new name.

You should take a look again at what was written previously. The wiki 
interface allows you add stuff. But this is not the interface which is 
accessed by JOSM. JOSM accesses an compiled interface, which is created by 
internal cron job. You can't overwrite the SVN-plugin links in a magic way 
(if you can, then the cron job would be buggy and needs to be fixed).

> This is not new - I know that. But it is a change that came gradually and 
> nobody ever raised a warning. In the beginning we just had a plugin list that 
> people could look at, and click on a link to download something. Later we 
> parsed the list automatically, and now we're even doing so in regular 
> intervals. In my eyes this is asking for trouble, and a security policy of

No. We don't do that. There is an important abstraction layer between the 
Wiki and JOSM input data. I didn't introduce that because it thought I 
need to change anything, but because I wanted to take away the chance to 
do exactly what you propose here could be done.

As said - The time that JOSM parsed Wiki pages is long gone - except for 
start page and help - which are only displayed in a limited web-display 
(i.e. no javascript, ...), not parsed.

>>  So the same for plugins. Our open policy caused a lot of plugins
>>  introducing new features and attracted new developers. I don't want to
>>  change this without a real reason.
>
> Yeah, let's not get too distracted. This is not about stricter rules. It's 
> just about making sure that if config changes are made that affect JOSM 
> users, these config changes should not come from anonymous users. Or else, if 
> we don't want to do that, then we must at least invent something that shields 
> JOSM users from it - say, have a default mode in JOSM that is "only accept 
> configuration updates from registered JOSM contributors" vs. "accept 
> anonymous configuration updates from everyone", with the default being option 
> 1.

Again I assume that this written with the idea behind, that anybody can 
directly influence the data JOSM gets. This is not possible. You always 
have to pass through validity checks. There are leaks there as well, but 
they are much harder to explore than a simple "Edit the wiki".

The JOSM server cron can introduce a lot of additional checks in future to 
prevent certain types of attacks when the need arises. One reason why the 
server code is not public is that I want to prevent code analysis for 
potential security issues. I know "security by obscurity" does not work, 
but it at least increases the workload for the attacker and most tries to 
fiddle around with issues therein would cause a lot of logs to pop up in 
my mailbox.

Ciao
-- 
http://www.dstoecker.eu/ (PGP key available)




More information about the josm-dev mailing list