[mirror-admin] MirrorManager ACL is useless
Jan Kasprzak
kas at fi.muni.cz
Tue Nov 8 03:20:06 EST 2011
Axel Thimm wrote:
: I think it should at least be sanitized to be either an ip/network or
: a resolvable hostname at the time of data entry. Yenya's hiddenmodule
: example shows that it can lead to serious issues if the list is used
: (although I think newlines are not that easy to inject).
Last time I have tested it (several months ago), I was able
to insert newlines without problem.
: Maybe the list can be pruned and affected mirror admins can be asked
: to reenter their acl hosts/networks.
I agree with that.
: Let's think what we should allow, my 0.02:
:
: o IPv4/IPv6 addresses and networks up to a certain size
: o FQDNs that resolve at data entry time
I would allow up to - say - five IPv4 and five IPv6 addresses
per mirror site, or five hostnames. Hostnames MUST resolve at data entry
time, and their A and AAAA records MUST lead to address[es], which resolve
back to the original hostname.
-Yenya
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
Please don't top post and in particular don't attach entire digests to your
mail or we'll all soon be using bittorrent to read the list. --Alan Cox
--
More information about the Mirror-admin
mailing list