[xwiki-devs] [proposal] Standardize a security specification.

Marius Dumitru Florea mariusdumitru.florea at xwiki.com
Fri Mar 25 15:53:05 UTC 2011


On 03/25/2011 04:17 PM, Caleb James DeLisle wrote:
>
>
> On 03/25/2011 05:01 AM, Marius Dumitru Florea wrote:
>> Hi Caleb,
>>
>> On 03/25/2011 12:23 AM, Caleb James DeLisle wrote:
>>> Sometimes there is a grey area between a security vulnerability and a really nice feature. I think
>>> it is important that everyone understand what a user should be able to do and what a user should not
>>> be able to do since "that's not a bug, that's a feature" is cold comfort to a user who just
>>> discovered that his security requirements were not met. Also, having a standard laid down will allow
>>> us to better classify security issues if they are discovered (I can proudly say that we have
>>> improved here by leaps and bounds) I have a draft document which attempts to detail that line
>>> between bug and feature and I think it is time to move it into main space.
>>>
>>> http://dev.xwiki.org/xwiki/bin/view/Drafts/Security+Specifications
>>>
>>> WDYT?
>>
>> Indeed, we need such a document. A few remarks:
>>
>> * 2.4 duplicates 2.2
> Thanks, I fixed that.
>
>> * 7.3 is a bit confusing because until that point document title and
>> document content are viewed separately (e.g. 5.2 and 5.3)
> I have tentatively changed that to:
> * 7.3 When viewing a document, the document's title is part of Document Content and has the same
> power. Anywhere else in the wiki, the document title must not have any powers which are not
> available to a [[comment>>#comment]].
> WDYT?

+1

>
>> * 8.5 is not quite correct because you can instantiate and load classes
>> from velocity but not directly. You can't use the new operator and you
>> don't have access to the Java reflection API but by simply writing:
>>
>> #set($list = [1, 2, 3])
>>
>> you are creating a new instance of ArrayList.
>
> I added a * to that line and at the bottom:
> ~* Velocity allows for the instantiation of HashMap, ArrayList, and String objects and velocity
> scripts can call Java APIs which may return newly instantiated objects.
>

> Look ok?

Yep.

Thanks,
Marius

>
> Caleb
>
>>
>> Thanks,
>> Marius
>>
>>>
>>> Caleb
>>>
>>> _______________________________________________
>>> devs mailing list
>>> devs at xwiki.org
>>> http://lists.xwiki.org/mailman/listinfo/devs
>> _______________________________________________
>> devs mailing list
>> devs at xwiki.org
>> http://lists.xwiki.org/mailman/listinfo/devs
>>
>
> _______________________________________________
> devs mailing list
> devs at xwiki.org
> http://lists.xwiki.org/mailman/listinfo/devs



More information about the devs mailing list