RE: [widgets] Comments on Widget Signature update (was RE: Widget Signature update) from Priestley, Mark, VF-Group on 2009-03-16 (public-webapps@w3.org from January to March 2009)

From: Priestley, Mark, VF-Group <Mark.Priestley@vodafone.com>
Date: Mon, 16 Mar 2009 21:48:43 +0100
To: "Thomas Roessler" <tlr@w3.org>, "Frederick Hirsch" <Frederick.Hirsch@nokia.com>
Cc: "ext Marcos Caceres" <marcosc@opera.com>, "WebApps WG" <public-webapps@w3.org>
Message-ID: <0BE18111593D8A419BE79891F6C4690902B1C3A5@EITO-MBX01.internal.vodafone.com>

Thanks Thomas (and also Marcin from an earlier email) for the
explanation.

I support Thomas' suggested changes.

Mark 

>-----Original Message-----
>From: Thomas Roessler [mailto:tlr@w3.org] 
>Sent: 16 March 2009 11:18
>To: Frederick Hirsch
>Cc: Priestley, Mark, VF-Group; ext Marcos Caceres; WebApps WG
>Subject: Re: [widgets] Comments on Widget Signature update 
>(was RE: Widget Signature update)
>
>On 13 Mar 2009, at 15:50, Frederick Hirsch wrote:
>
>> Thanks for your review, I have some comments inline. Thomas, can you 
>> please review my proposed change to the security considerations text 
>> Mark mentioned?
>
>
>I believe that you mean this piece of text:
>
>>> "Implementations that store the content of widget archives to the 
>>> file system during signature verification MUST NOT trust any path 
>>> components of file names present in the archive, to avoid 
>overwriting 
>>> of arbitrary files during signature verification."
>>>
>>
>>
>>> {Comment] I don't understand this sentence - which may well be a 
>>> problem with my understanding rather than the sentence - please can 
>>> you enlighten me, thanks.
>>
>> I think this is better worded as:
>>
>> Implementations MUST NOT overwrite <widget files> during signature 
>> verification, as this could open the possibility of an 
>attack based on 
>> substituting content for files due to malformed ds:Reference 
>URIs in a 
>> signature that has been replaced.
>>
>> (Thomas, can you please verify that I got that right?)
>
>The basic attack that this piece of the text is about is 
>unpacking a zip archive into the file system, trusting path 
>components, and ending up overwriting arbitrary system files, 
>because the zip file contained '../../../../etc/passwd'.  
>(Yes, I'm painting with an extremely broad brush here.)
>
>Two points:
>
>1. This should go into the security considerations, and 
>probably shouldn't be phrased as normative text.
>
>2. I agree with Mark that it's probably too confusing; I fear 
>that your proposed replacement doesn't capture everything.
>
>I'd suggest this instead:
>
>> Implementations should be careful about trusting path 
>components found 
>> in the zip archive:  Such path components might be interpreted by 
>> operating systems as pointing at security critical files outside the 
>> widget environment proper, and naive unpacking of widget 
>archives into 
>> the file system might lead to undesirable and security relevant 
>> effects, e.g., overwriting of startup or system files.
>
>What do you think?
>

Received on Monday, 16 March 2009 20:49:50 UTC