 28 Feb 2019, Konstantin Olchanski, Info, resource file search path, mhttpd magic urls
|
> url contains midas.js -> send_resource("midas.js")
mhttpd looks for resource files in these directories in this order:
|
 01 Mar 2019, Konstantin Olchanski, Info, Gyrations of custom pages and ODB /Custom/Path
|
Before the days of javascript and ajax and web 2.0, MIDAS introduced "custom pages" for
building graphical display that could show "live" data from MIDAS and that could
have buttons and controls to operate slow controls equipment, etc.
|
|
04 Mar 2019, Stefan Ritt, Info, Gyrations of custom pages and ODB /Custom/Path
|
Parsing all URL in mhttpd to prevent /etc/passwd etc. to be returned is tricky, because people can use escape sequences etc. Therefore I think it is much
better to restrict file access
on the file system level when opening a file. The only escape there one could have is "..", which can be tested easily.
|
|
04 Mar 2019, Thomas Lindner, Info, Gyrations of custom pages and ODB /Custom/Path
|
Hi Stefan and Konstantin,
I think that this proposal sounds fairly reasonable. I agree that we might as well move to a secure final solution at this point.
|
|
04 Mar 2019, Stefan Ritt, Info, Gyrations of custom pages and ODB /Custom/Path
|
Sounds reasonable to me.
Stefan
|
|
04 Mar 2019, Suzannah Daviel, Info, Gyrations of custom pages and ODB /Custom/Path
|
I see two separate issues here.
One is restricting the custom pages to ONE directory such as
|
|
04 Mar 2019, Konstantin Olchanski, Info, Gyrations of custom pages and ODB /Custom/Path
|
Hi, guys, as I was exploring the code and the commit history on Thursday (git rules!) and
as I worked on getting the old custom files to work with Suzannah on Friday, I think
I know how I want this code to work. I think there is no need to break with the old
|
|
05 Mar 2019, Stefan Ritt, Info, Gyrations of custom pages and ODB /Custom/Path
|
First, I did not propose to give up the /Custom tree in the ODB, sorry for the misunderstanding. We still need it in order to display the menu with the
custom pages at the left side navigation bar. In principle all can stay like it is, except we remove /Custom/Path and rewrite the file server to restrict
it only
|
|
05 Mar 2019, Stefan Ritt, Info, Gyrations of custom pages and ODB /Custom/Path
|
> - mhttpd cannot serve /etc/passwd by default as "/" is forbidden in file names added to /Custom/Path.
You do this with a simple
|
|
05 Mar 2019, Konstantin Olchanski, Info, Gyrations of custom pages and ODB /Custom/Path
|
> > - mhttpd cannot serve /etc/passwd by default as "/" is forbidden in file names added to /Custom/Path.
> You do this with a simple
> if (custom_path == "/")
|
|
05 Mar 2019, Thomas Lindner, Info, Gyrations of custom pages and ODB /Custom/Path
|
> First, I did not propose to give up the /Custom tree in the ODB, sorry for the misunderstanding. We still need it in order to display the menu with the
custom pages at the left side navigation bar. In principle all can stay like it is, except we remove /Custom/Path and rewrite the file server to restrict
it only
|
|
05 Mar 2019, Konstantin Olchanski, Info, Gyrations of custom pages and ODB /Custom/Path
|
> First, I did not propose to give up the /Custom tree in the ODB, sorry for the misunderstanding.
> We still need it in order to display the menu with the custom pages at the left side navigation bar.
> In principle all can stay like it is, except we remove /Custom/Path and rewrite the file server to restrict it only
|
|
05 Mar 2019, Stefan Ritt, Info, Gyrations of custom pages and ODB /Custom/Path
|
> > > - mhttpd cannot serve /etc/passwd by default as "/" is forbidden in file names added to /Custom/Path.
> > You do this with a simple
> > if (custom_path == "/")
|
|
05 Mar 2019, Konstantin Olchanski, Info, Gyrations of custom pages and ODB /Custom/Path
|
> Just set
> /Custom/Path = /./
> which is allowed right now and then access etc/passwd, which translates to /./etc/passwd and then you get the password file.
|
|
05 Mar 2019, Stefan Ritt, Info, Gyrations of custom pages and ODB /Custom/Path
|
I stop the discussion here because it goes in circles. We can't convince each others, so somebody has to give up, and that's me.
> We have several large installations at TRIUMF that use the old-style custom pages - MUSR, BNMR/BNQR, TITAN (and more?) -
|
|
05 Mar 2019, Konstantin Olchanski, Info, Gyrations of custom pages and ODB /Custom/Path
|
> > We have several large installations at TRIUMF that use the old-style custom pages - MUSR, BNMR/BNQR, TITAN (and more?) -
> > none of these experiments are going away any time soon and none of these custom pages are rewriting themselves.
>
|
|
05 Mar 2019, Konstantin Olchanski, Info, Gyrations of custom pages and ODB /Custom/Path
|
>
> That sounds fine, as long as it is clearly documented.
>
|
|
05 Mar 2019, Stefan Ritt, Info, Gyrations of custom pages and ODB /Custom/Path
|
> The biggest problem so far we have seen is with some pages having incorrect form submission
> settings - some forms use the wrong form "action" attribute, which worked before, we do not know
> why, and definitely does not work now. This is not something that we can fix on the midas side.
|
|
05 Mar 2019, Konstantin Olchanski, Info, mhttpd magic urls
|
> Here is the list of mhttpd magic URLs.
See additional magic URLs at the very bottom:
|
|
06 Mar 2019, Konstantin Olchanski, Info, Gyrations of custom pages and ODB /Custom/Path
|
> > The biggest problem so far we have seen is with some pages having incorrect form submission
> > settings - some forms use the wrong form "action" attribute, which worked before, we do not know
> > why, and definitely does not work now. This is not something that we can fix on the midas side.
|