dev@glassfish.java.net

Re: request asarch review for deploy command enhancement in GlassFish

From: Bill Shannon <bill.shannon_at_oracle.com>
Date: Tue, 21 May 2013 11:57:10 -0700

Thanks for writing the one-pager, Jeremy!

My biggest concern with this is security. It seems that with this change the
administrator on a client machine can cause the server to access files and
network resources that the administrator might not be able to access directly.

It may be true that an administrator already has many ways to cause the server
to do things such as this, but this certainly provides a more direct path.

What would happen in the future if we had (for example) some sort of role based
access control where some administrators had fewer privileges than others? If
we wanted to allow some administrators to only deploy and manage applications,
but not stop or reconfigure the server, would it be safe to allow such an
administrator to use this command?

Perhaps I'm being paranoid but I'd like to see some discussion about the
security implications of being able to tell the server to access resources that
you might not be able to access directly. Certainly the check for filename
extensions will help, but you still need to be sure to handle cases such as
"file:///etc/passwd?name=foo.ear".

What do our security experts think?


ÂÀËÎƽ wrote on 05/21/13 04:49:
> Hi, Hong:
> Cc: Bill, asarch_ww members:
>
> I want to request an asarch review for enhancement of deploy command to
> support URI operand in GlassFish. There were some previous discussions on the
> enhancement (Sahoo, Tom were also involved), and Tom suggested it might be
> good to let asarch review the proposal as well.
>
> I have written up the proposal in one pager format and posted here:
> https://wikis.oracle.com/display/GlassFish/Production+DeployUri+One+pager
>
> Thanks!
>
> -Jeremy