I keep seeing comments to the effect that the which command is dangerous
and that it compromises security and I'm wondering what I should do about
it. Right now I do the following:
*) Make a global access check; the value returned is the total maximum hit
count. (The access routine conveniently returns a huge number if you
give a correct password.)
*) Loop only over the lists that are advertised.
*) Make a per-list access check; the value returned is the maximum hit
count for this list. If the request is denied, the list is skipped.
The match can be made via a substring or regex match.
Note that the site owner can set a maximum, and each list owner can set a
maximum or deny the request entirely. Plus the advertise settings limit
'which' access implicitly.
Does this go far enough? Does this go too far and limit the usefulness of
the command? (I'm worried about limiting it to only advertised lists.)
Does anyone ever use the command on your server anyway? (My server gets a
pretty good amount of legitimate which action, so I wouldn't want to take
it away.) Is there anything else I can do to restrict 'bad' uses like
sending 'which a' through 'which z'? Perhaps restrict the match to three
characters or more (more for the regex match)?
Any other thoughts? (I'm redoing the internals of which at the moment,
which is why I'm asking.)
- J<
Follow-Ups:
|
|
