W3C home > Mailing lists > Public > www-jigsaw@w3.org > January to February 1997

Why Auth is ingoingFilter and not lookup?

From: Alexandre Rafalovitch <alex@access.com.au>
Date: Fri, 31 Jan 1997 16:25:39 +1000
Message-Id: <v03010d04af173d6555b4@[]>
To: www-jigsaw@www10.w3.org

The question said it all. The auth filter and derivatives check security in
'ingoingFilter' method and not in 'lookup' method. I cannot see what are
the reasons for that.

I have two security related problems with it.

1) Somebody can check if a resource exists behind the auth filter because
he would get 404 not found instead of 'auth failed' reply. Try '/Admin/foo'
and you will see my point. This might be a pinhole, but hole nevertheless.

2) If somebody, somehow managed to install a filter/resource behind auth
filter (eg. with putable resources), then when the resource is being looked
up, it can delete auth filter from the list of applicable filters before it
(auth filter) had even a chance to kick in.

3) Let's say, I managed to install a trojan horse anywhere in the system.
That trojan horse during lookup returns the resource protected by a auth
filter in other portion of the system, except it removes auth filter before
it passes control on. If my auth was invoked during lookup, trojan would
never be able to get beyond auth protected resource.

I know I could write my own auth filters and they would not exhibit this
problem, but I want to know what problems that would lead to. This is why I
am asking for reason behind the current model.


--------| I feel as confused as a baby in a topless bar. |--------
Received on Friday, 31 January 1997 00:26:42 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:25:30 UTC