Sign In/My Account | View Cart  
advertisement

Article:
Multi-Interface Web Services Made Easy
Subject: Middleware and software contracts
Date: 2002-05-13 04:31:55
From: Chris Morris
Response to: Security
Thank you for your thoughtful reply.


You rightly object to my statement that "Stylesheet authors are not used to looking at security issues". It isn't a question of anyone's skills or character - it is a question of the division of responsibilities between modules.


As you say, <xsl:include> does not accept parameters. However, document() and <xsl:document> do, and unfortunately some people work around the limitation in include by writing a stylesheet whose output is another stylesheet. So it seems likely that there will be some exploitable XSLT created.


Your perl script knows that the parameters are user input, and the XSLT will know whether one of them is being used as a file path. One or the other has to clean the input. Since the perl is taking care of / hiding the network interface, it seems to me that it is responsible for security.


I agree that $context->{style} can't be exploited in your script. But you are publishing model code here. The context object that CGI::XMLApplication uses has the power and risk of global variables. If someone decides for other reasons to copy the CGI parameters into $context - much like you did with the XSLT call - then this could create an exploit.


Thinking about these issues has made me reconsider a script I recently wrote which attempts to match the CGI parameter names to SQL column names.


I think the issue is one of middleware design, and goes wider than security. To make middleware powerful, we try to make it transparent. We look for a design that enforces few preconditions, and promises few postconditions. If we succeed, any design contract must be agreed between the outer layers of the sandwich. Unfortunately such contracts can get neglected. At least, the documentation of the middleware must point out to its clients which responsibilites still lie with them.


It is good to hear that the problem in SOAP::Lite is fixed. I think it came about by starting with considerations of power, transparency, and elegance, instead of starting with the question "What do we want this component to do?".


I agree that you couldn't cover everything in a short article ... I hope you agree that published code is fair game for criticism!

No Previous Message Previous Message Move up to Parent Message Up Next Message No Next Message

Recommended for You


Sponsored By: