[xwiki-devs] [proposal] Standardize a security specification.

Caleb James DeLisle calebdelisle at lavabit.com
Fri Mar 25 14:17:18 UTC 2011



On 03/25/2011 05:01 AM, Marius Dumitru Florea wrote:
> Hi Caleb,
> 
> On 03/25/2011 12:23 AM, Caleb James DeLisle wrote:
>> Sometimes there is a grey area between a security vulnerability and a really nice feature. I think
>> it is important that everyone understand what a user should be able to do and what a user should not
>> be able to do since "that's not a bug, that's a feature" is cold comfort to a user who just
>> discovered that his security requirements were not met. Also, having a standard laid down will allow
>> us to better classify security issues if they are discovered (I can proudly say that we have
>> improved here by leaps and bounds) I have a draft document which attempts to detail that line
>> between bug and feature and I think it is time to move it into main space.
>>
>> http://dev.xwiki.org/xwiki/bin/view/Drafts/Security+Specifications
>>
>> WDYT?
> 
> Indeed, we need such a document. A few remarks:
> 
> * 2.4 duplicates 2.2
Thanks, I fixed that.

> * 7.3 is a bit confusing because until that point document title and 
> document content are viewed separately (e.g. 5.2 and 5.3)
I have tentatively changed that to:
* 7.3 When viewing a document, the document's title is part of Document Content and has the same
power. Anywhere else in the wiki, the document title must not have any powers which are not
available to a [[comment>>#comment]].
WDYT?

> * 8.5 is not quite correct because you can instantiate and load classes 
> from velocity but not directly. You can't use the new operator and you 
> don't have access to the Java reflection API but by simply writing:
> 
> #set($list = [1, 2, 3])
> 
> you are creating a new instance of ArrayList.

I added a * to that line and at the bottom:
~* Velocity allows for the instantiation of HashMap, ArrayList, and String objects and velocity
scripts can call Java APIs which may return newly instantiated objects.

Look ok?

Caleb

> 
> Thanks,
> Marius
> 
>>
>> Caleb
>>
>> _______________________________________________
>> devs mailing list
>> devs at xwiki.org
>> http://lists.xwiki.org/mailman/listinfo/devs
> _______________________________________________
> devs mailing list
> devs at xwiki.org
> http://lists.xwiki.org/mailman/listinfo/devs
> 




More information about the devs mailing list