S
ssouthwe
Guest
Hi Ken, I'm doing fine. It is similar to what you can do with oeablSecurity.csv, but not exactly the same. In oeablSecurity.csv, you are locking down certain URL patterns, whereas with WebRunPath, you're locking down the actual disk folders where the WebSpeed code can pick up a program from and run it. For example, lets say your propath for PASOE includes these folders: - (your app)/WEB-INF/openedge (Typical PASOE starting path) - (your app)WEB-INF/openedge/websrc (Intended to hold all WebObjects that can be run from the web, using web compatibility handler) - C:\mydangeroustools\really (Contains a bunch of programs that may be called from within your app, and which are not intended to be run from the web.) And hypothetically in that latter directory, you have a long-running report or some process or procedure that could cause grave issues if run when it shouldn't be. Maybe as part of your deployment, you use that folder to contain one-time data conversions or something like that. Maybe you have something there that you use to mask data when you copy your database from prod to dev so you can troubleshoot something. In any case, just assume that this is stuff you don't want end users running. So you have C:\mydangeroustools\really\badprogram.p. Someone navigates to yourserver
ort/.../badprogram.p in their browser. Now, if you have a line in your oeablSecurity.csv like this: "/web/**","*","hasAnyRole('ROLE_PSCUser')" then the user at least has to be logged in. But if they are, they've just run your dangerous program. As long as it doesn't have parameters, WebSpeed will pick it up and run it like a webobject. That's where webrunpath comes in. You would set your webrunpath to the WEB-INF/openedge/websrc/* and from then on, WebSpeed will only run things that it finds there. An attacker would have to know things to try, but given all the various folders within the stock propaths, and how nasty it can get with huge apps, this gives you the peace of mind that you don't have to audit every single piece of code to ensure that it can't happen.
Continue reading...
ort/.../badprogram.p in their browser. Now, if you have a line in your oeablSecurity.csv like this: "/web/**","*","hasAnyRole('ROLE_PSCUser')" then the user at least has to be logged in. But if they are, they've just run your dangerous program. As long as it doesn't have parameters, WebSpeed will pick it up and run it like a webobject. That's where webrunpath comes in. You would set your webrunpath to the WEB-INF/openedge/websrc/* and from then on, WebSpeed will only run things that it finds there. An attacker would have to know things to try, but given all the various folders within the stock propaths, and how nasty it can get with huge apps, this gives you the peace of mind that you don't have to audit every single piece of code to ensure that it can't happen.Continue reading...