Item8430: registerRESTHandler default authenticate option is insecure

Working on making PermLinkPlugin work for WikiGuest (permalink GUIDS are accessed via a rest handler), I discovered the following:

• Out of the box, foswiki lists rest in auth scripts in configure. So this bug does not affect most installations.
• Removing rest from auth scripts allowed WikiGuest to access the rest handler without any auth challenge. The following two registerRESTHandler calls behave identically, on both release and trunk:
  1. Foswiki::Func::registerRESTHandler( 'view', \&rest_view );
  2. Foswiki::Func::registerRESTHandler( 'view', \&rest_view, authenticate => 0 );
• The expected behaviour is that (1) should authenticate by default, and behave identically to the following:
  • Foswiki::Func::registerRESTHandler( 'view', \&rest_view, authenticate => 1 );

I get a 401 for WikiGuest on both release and trunk only when passing authenticate => 1.

The current situation is that before I remove rest from authscripts on a live production site, I must audit all extensions that are in use which have rest handlers, that they call with authenticate => 1 unless they have a good reason not to.

-- PaulHarvey - 27 Jan 2010

Your logic is impeccable; as was mine when I left registerRESTHandler with the existing behaviour, when I added authenticate => 1. Of course I didn't think it through sufficiently. Confirmed.

-- CrawfordCurrie - 27 Jan 2010

Yeah, but this is why I would call it a legacy feature, rather than a security bug I raised this point many times though, because an attacker could, for example, trigger your KinoSearch indexing every second, without even being logged in...

But I guess defaulting it to authenticated is OK, even thought it won't solve enough me thinks. Plugins with REST handlers might have to provide proper authentication ways, to avoid that one can, for example, view a topic using a REST handler, even though the topic is supposed to be restricted.

-- OlivierRaginel - 27 Jan 2010

I suppose it would be nice for there to be ACLs on rest handlers.

Anyway, it looks like the original unit tests were supposed to fail as the current behaviour stands; it's just that it didn't work out that way.

I understand rest handlers can easily be dangerous. Regardless, the current behaviour makes me nervous.

-- PaulHarvey - 27 Jan 2010

Changing this to 1.1/minor. We had the insecure defaults documented in Foswiki::Func, but the tests weren't written that way (failed silently anyway).

We also have validate. And it occurs to me we should protect http_method to only allow POST by default too.

So this is what I propose happens by default - no real behaviour changes here, just the defaults when registering a REST handler:

• Require auth
• Only POST method allowed
• Validation by default

It should be trivial to fix any plugins that assume the old defaults. Plugin authors will have to explicitly override these "more secure" defaults when writing for 1.1, which can only be a good thing.

I don't think that's a big change, let me know if this needs a feature proposal.

Fixing tests.

-- PaulHarvey - 07 Mar 2010

Deferred for post-1.1. I have a pretty comprehensive set of tests going but it's not all working happily. If somebody wants a diff to get this into 1.1 please let me know.

-- PaulHarvey - 02 Apr 2010

Any news on this? Almost two years without progress. Is it still an issue? Please clarify if target is 1.2 or 2.0.

-- GeorgeClark - 07 Mar 2012

I got stuck at the time, have since lost the code related to this effort and will try again for 1.2.

-- PaulHarvey - 07 Mar 2012

Commenting is disabled while not logged in