[mirror-admin] MirrorManager ACL is useless
Matt_Domsch at Dell.com
Matt_Domsch at Dell.com
Fri Nov 25 23:47:06 EST 2011
I fixed this in upstream on the 1.3 branch now. In both the netblock and rsync acl data entry fields, it now checks that the values are either an IP address (or netblock for the netblock entry), or a DNS hostname that resolves using an A or AAAA lookup. (No, I'm not chasing down CNAMEs at this point.) This patch isn't in production yet. When it is, I'll have to scrub the existing data in the database too.
--
Matt Domsch
Technology Strategist
Dell | Office of the CTO
-----Original Message-----
From: mirror-list-d-bounces at redhat.com [mailto:mirror-list-d-bounces at redhat.com] On Behalf Of Jan Kasprzak
Sent: Tuesday, November 08, 2011 2:20 AM
To: A private discussion group for official mirrors of ftp.redhat.com
Subject: Re: MirrorManager ACL is useless
Axel Thimm wrote:
: I think it should at least be sanitized to be either an ip/network or
: a resolvable hostname at the time of data entry. Yenya's hiddenmodule
: example shows that it can lead to serious issues if the list is used
: (although I think newlines are not that easy to inject).
Last time I have tested it (several months ago), I was able to insert newlines without problem.
: Maybe the list can be pruned and affected mirror admins can be asked
: to reenter their acl hosts/networks.
I agree with that.
: Let's think what we should allow, my 0.02:
:
: o IPv4/IPv6 addresses and networks up to a certain size
: o FQDNs that resolve at data entry time
I would allow up to - say - five IPv4 and five IPv6 addresses per mirror site, or five hostnames. Hostnames MUST resolve at data entry time, and their A and AAAA records MUST lead to address[es], which resolve back to the original hostname.
-Yenya
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
Please don't top post and in particular don't attach entire digests to your
mail or we'll all soon be using bittorrent to read the list. --Alan Cox
--
--
More information about the Mirror-admin
mailing list