[josm-dev] Mandatory login for JOSM wiki

Frederik Ramm frederik at remote.org
Sun Feb 27 22:49:54 GMT 2011 

Sebastian,

Sebastian Klein wrote:
> Either I don't understand your concerns at all or they are partially
> based on misunderstandings. If it is the latter, I would appreciate a
> summary of the issues you still see.

It is very well possible that I am misunderstanding & overreacting - 
wouldn't be the first time ;)

> First of all, if you have a fresh JOSM install, there is no way anyone
> can inject anything into it. The worst that can happen is someone puts 
> spam entries into one of the lists. I'm not aware, this ever happened, 
> but it wouldn't do much harm. You'd only see it in the preference 
> dialogue and not somewhere in the main menu.

> Each extension (preset, style, plugin, wms url, remote control) is
> explicitly activated by the user.

Ok. It seems I have indeed misunderstood Dirk's "JOSM mappaint styles, 
mapcss styles and JOSM presets can now be made in the JOSM Trac wiki 
pages.". I read into that that even the default settings were maintained 
in trac which they don't seem to be.

It seems that the configuration stuff loaded from the server is limited 
to (a) the list of imagery layers (JOSM requests that list on startup 
even if freshly installed, and without the user asking for it) and (b) 
the plugin list (which is only loaded if the users asks for it).

Both of these are not new so I must apologise for my hot-headedness.

But still I think the potential for malice in these should not be 
neglected. Anybody can, anonymously, change the list of map layers in 
trac, and that will become the default list for any newly started JOSM 
instance from that second on, isn't that so? This means that I can 
easily add some non-allowed sources there, or change the Bing URL to one 
pointing to my ad server, or - and I tried that out just now - make the 
imagery menu look like this: http://www.remote.org/frederik/tmp/sucks.png

You could then revert that change after you notice it, but everyone who 
has started their JOSM instance for the first time between the change 
happening and you fixing it would have the manipulated setting on his 
machine until he actively takes steps to fix it (provided he finds out). 
And you wouldn't even know who did it, and they can do it again and 
again and again until you require a login for the page.

Now I can see the liberal standpoint of "let's fix the problem when it 
occurs" and I agree that it has something going for it. However, this 
particular problem is very likely to occur, and it can cause quite an 
image problem for JOSM (imagine e.g. JOSM being positively mentioned in 
a Bing blog; a disgruntled Bing employee changing the imagery list to 
something that reads "Bing sucks"; 1000s of people downloading JOSM and 
being stuck with "Bing sucks" before Dirk or Sebastian even notice).

The other issue is the plugin list. It seems that I'm preaching to the 
choir here because you all have agreed that there are security risks. 
The risks are two-fold:

* Someone could change the plugin list to point to a different location 
where their evil plugin resides, or add their evil plugin with an 
interesting description.

* Someone could upload malicious code for an existing plugin.

The second option would require compromising the plugin location - you 
would need to hack into the server that hosts the plugin. If the plugin 
is in OSM SVN, then you don't need to hack that, you can simply upload 
your malicious version (but we would then know who you are). The first 
option just requires some webspace to host your malicious code, and you 
just change the plugin list anonymously. If you do it well - if your 
plugin indeed does what it claims to do while at the same time uploading 
the user's email folder to some phising site - then maybe nobody will 
ever notice.

> In [3936] I changed plugin descriptions, so the user can spot plugins 
> that come from an external source. What else can we do?

I would feel much better if there was some accountability to changes in 
the plugin list - i.e. I would like to know that user XY with email 
address Z added a certain plugin to the list, rather than having that 
edited anonymously. If it is too much trouble to flag individual pages 
in trac for that, then maybe just have the list in another system - even 
OSM SVN if need be.

What are the risks with the remote control mechanism?

Bye
Frederik

-- 
Frederik Ramm  ##  eMail frederik at remote.org  ##  N49°00'09" E008°23'33"

More information about the josm-dev mailing list