shindig-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From soaw...@web.de
Subject Making public shindig secure?
Date Wed, 08 Jun 2011 10:58:50 GMT
Hello everyone,
 
I’m currently evaluating shindig as Open Social Container for our project which should be
a public site.
I checked the code and I have the following security concern:
In my opinion u could use at least the servlets GadgetRenderingServlet, ConcatProxyServlet
and JsServlet to request any resource from the internet via the shindig server. For example
by using:
http://opensocial.test:8080/shindig/gadgets/concat?container=default&gadget=http%3A%2F%2Fgadget.test%3A8080%2Fwebapp%2Fgadget&debug=1&nocache=1&type=js&1=http%3A%2F%2Fwww.google.com
to request the Google page.
This could be used for local IPs to, like 1=http%3A%2F%2Flocalhost%2Fsecret
 
Whats the proposed way to make this secure?
I can think about the following ways:
1.)    Use a filter for the servlets und restrict the access by programmatically checking
the parameters
2.)    Use a firewall to restrict access for the webapp container
 
Thanks and best regards
Tom
___________________________________________________________
Schon gehört? WEB.DE hat einen genialen Phishing-Filter in die
Toolbar eingebaut! http://produkte.web.de/go/toolbar

Mime
View raw message