ETT-477 Update under_server references in imgsrv#196
Conversation
- Remove code that de-restricts when not under server (e.g., `$self->restricted(0) unless ( Debug::DUtils::under_server() );`) - `SRV/Article/EPUB.pm` - `SRV/Article/PDF.pm` - `SRV/Volume/Base.pm` - `SRV/Volume/EPUB.pm` - `SRV/Volume/HTML.pm` - `SRV/Volume/PDF.pm` - `SRV/Volume/Remediated/Bundle.pm` - Remove conditional use of `SRV::Utils::Stream` for output (e.g., `if ( ! $self->output_filename || Debug::DUtils::under_server() )`) - `SRV/Article/PDF.pm` - `SRV/Volume/PDF.pm` - Completely de-restrict SRV/Cover.pm - Always translate to character entities in DEBUG output - `SRV/SearchUtils.pm` - Explicitly initialize `super` to `undef` in `_default_params()` since I believe the existing code is wrong - `SRV/Volume/Base.pm` - Miscellaneous logic simplifications - `SRV/Image.pm` - `SRV/Utils.pm` - Update psgi apps to use `SRV::Utils::under_server` - FIXME: do we even need that?
| builder { | ||
|
|
||
| if ( under_server() ) { | ||
| if ( SRV::Utils::under_server() ) { |
There was a problem hiding this comment.
The question is, do we even need these at all? Applies to this file and imgsrv.psgi as well.
There was a problem hiding this comment.
I'm not sure how I feel about URLFixer in general. If there are percent-escaped ';' or '=' characters in the URL, then it will unescape the entire URL and redirect to that. That's a problem we see with the ChatGPT-created queries to ssd.
I could imagine some kind of redirection attack though -- basically tricking imgsrv to redirecting to something unexpected - but I'm not sure exactly what the threat model would be.
It may be worthwhile seeing if there's evidence of legit requests to imgsrv that would trigger this (i.e. requests to imgsrv containing %3B or %3D), and if we can't find any, we just disable URLFixer entirely.
| # this can only be passed from the command line | ||
| $params{super} = undef; | ||
| } | ||
|
|
There was a problem hiding this comment.
I believe the existing code should be if instead of unless because it makes no sense otherwise based on the comment. I don't know if this change is more secure big picture wise, but it is simpler.
There was a problem hiding this comment.
Yeah, this doesn't make any sense. We should check if we remove it that debug=super still works & works only for logged-in users with appropriate permissions.
aelkiss
left a comment
aelkiss
left a comment
There was a problem hiding this comment.
I have a number of questions, mostly if we should get rid of some of the other under_server checks entirely, and making sure my understanding is the same.
| builder { | ||
|
|
||
| if ( under_server() ) { | ||
| if ( SRV::Utils::under_server() ) { |
There was a problem hiding this comment.
I'm not sure how I feel about URLFixer in general. If there are percent-escaped ';' or '=' characters in the URL, then it will unescape the entire URL and redirect to that. That's a problem we see with the ChatGPT-created queries to ssd.
I could imagine some kind of redirection attack though -- basically tricking imgsrv to redirecting to something unexpected - but I'm not sure exactly what the threat model would be.
It may be worthwhile seeing if there's evidence of legit requests to imgsrv that would trigger this (i.e. requests to imgsrv containing %3B or %3D), and if we can't find any, we just disable URLFixer entirely.
| enable "PopulateENV", app_name => 'imgsrv'; | ||
|
|
||
| enable_if { (under_server() && $ENV{HT_DEV}) } 'StackTrace'; | ||
| enable_if { (SRV::Utils::under_server() && $ENV{HT_DEV}) } 'StackTrace'; |
There was a problem hiding this comment.
Can we think of any reason not to enable solely based on HT_DEV or (maybe better) the plack environment?
| enable_if { (SRV::Utils::under_server() && ! $ENV{HT_DEV}) } "HTTPExceptions", rethrow => 0; | ||
|
|
||
| if ( under_server() ) { | ||
| if ( SRV::Utils::under_server() ) { |
There was a problem hiding this comment.
I'd be inclined to just always enable these -- given we do local development in docker, I can't think of a case where we wouldn't be under_server.
| # this can only be passed from the command line | ||
| $params{super} = undef; | ||
| } | ||
|
|
There was a problem hiding this comment.
Yeah, this doesn't make any sense. We should check if we remove it that debug=super still works & works only for logged-in users with appropriate permissions.
| my $ext = shift; | ||
| my $output_filename = | ||
| SRV::Utils::generate_output_filename($env, [ $self->file, $self->mode, 'full', $self->size, '0', $self->quality, $self->restricted, 'ZZZ' ], $ext); | ||
| SRV::Utils::generate_output_filename($env, [ $self->file, $self->mode, 'full', $self->size, '0', $self->quality, 'ZZZ' ], $ext); |
There was a problem hiding this comment.
Just removing $self->restricted here threw me for a loop, but it looks like generate_output_filename just makes a hash of all the options, and if covers are never restricted then having it in the hash doesn't matter. It does change the cache key for existing cover images, though, so I might be inclined to keep it in the hash?
| my $restricted = $self->restricted; | ||
| unless ( defined $restricted ) { | ||
| # $restricted = $C->get_object('Access::Rights')->assert_final_access_status($C, $gId) ne 'allow'; | ||
| $restricted = $$env{'psgix.restricted'}; |
There was a problem hiding this comment.
Could there be other ways (throttling, etc) where psgix.restricted gets set, even though in general covers should be unrestricted?
There was a problem hiding this comment.
Or I guess the point is that restricted could be set, but it doesn't matter because we serve the cover anyway?
2 participants
$self->restricted(0) unless ( Debug::DUtils::under_server() );)SRV/Article/EPUB.pmSRV/Article/PDF.pmSRV/Volume/Base.pmSRV/Volume/EPUB.pmSRV/Volume/HTML.pmSRV/Volume/PDF.pmSRV/Volume/Remediated/Bundle.pmSRV::Utils::Streamfor output (e.g.,if ( ! $self->output_filename || Debug::DUtils::under_server() ))SRV/Article/PDF.pmSRV/Volume/PDF.pmSRV/SearchUtils.pmsupertoundefin_default_params()since I believe the existing code is wrongSRV/Volume/Base.pmSRV/Image.pmSRV/Utils.pmSRV::Utils::under_server