CKEditor FileManager

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

CKEditor FileManager

Jonathan Vanherpe (T & T NV)
Hi list (and specifically Jason, I guess),

I've been playing with corefive's FileManager for CKEditor (Thanks a lot
for releasing this to the community, Jason). I've set it up but I have a
question about security:

The default setup is that basically everyone that has the URL for the
filemanager can upload and delete files. I've included the website's
session/authentication code in
filemanager/connectors/lasso/filemanager.lasso and
filemanager/scripts/jquery.filetree/connectors/jqueryFileTree.lasso ,
and I was wondering if this was enough to properly secure the upload
folder, or if I need to add more checks.

Jonathan
--
Jonathan Vanherpe - Tallieu & Tallieu nv - [hidden email]

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: CKEditor FileManager

stevepiercy
On 3/16/10 at 11:28 AM, [hidden email] (Jonathan Vanherpe (T &
T nv)) pronounced:

>I've been playing with corefive's FileManager for CKEditor (Thanks a
>lot for releasing this to the community, Jason). I've set it up but I
>have a question about security:
>
>The default setup is that basically everyone that has the URL for the
>filemanager can upload and delete files. I've included the website's
>session/authentication code in
>filemanager/connectors/lasso/filemanager.lasso and
>filemanager/scripts/jquery.filetree/connectors/jqueryFileTree.lasso ,
>and I was wondering if this was enough to properly secure the upload
>folder, or if I need to add more checks.

I assume you mean this instead:

     "everyone that [is authenticated and] has the URL for the
     filemanager can upload and delete files."

AFAIK, there is no built-in security for the filemanager.

Adding the session code should help, but you should add more
checks.  Bil and I were just discussing this yesterday in
regards to CKEditor instances (not the filemanager).  You could
use a token to verify that the request to upload a file came
from the proper user within a proper timeframe.
http://old.nabble.com/Getting-CKEditor-to-display-Lasso-code-in-Source-Editor-tt27894216.html

Also I contributed some code to limit file uploads to explicit
file extensions, but I don't think it made it to the repo.
http://forum.filemanager.corefive.com/topic/restrict-file-upload-by-file-extension-in-lasso

--steve

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
-- --
Steve Piercy               Web Site Builder              
Soquel, CA
<[hidden email]>                  <http://www.StevePiercy.com/>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: CKEditor FileManager

Jonathan Vanherpe (T & T NV)
Steve Piercy - Web Site Builder wrote:

> On 3/16/10 at 11:28 AM, [hidden email] (Jonathan Vanherpe (T & T nv))
> pronounced:
>
>> I've been playing with corefive's FileManager for CKEditor (Thanks a
>> lot for releasing this to the community, Jason). I've set it up but I
>> have a question about security:
>>
>> The default setup is that basically everyone that has the URL for the
>> filemanager can upload and delete files. I've included the website's
>> session/authentication code in
>> filemanager/connectors/lasso/filemanager.lasso and
>> filemanager/scripts/jquery.filetree/connectors/jqueryFileTree.lasso ,
>> and I was wondering if this was enough to properly secure the upload
>> folder, or if I need to add more checks.
>
> I assume you mean this instead:
>
> "everyone that [is authenticated and] has the URL for the
> filemanager can upload and delete files."

No, just having the url is enough unless you use http authentication to
remove access to the whole folder that contains the filemanager code.

> AFAIK, there is no built-in security for the filemanager.

That explains why I didn't find any ;-) . IIRC the old php filemanager
for FCKeditor had this function that basically said 'insert your site
authentication here'. This seemed like a better approach to integrating
with site authentication systems.

> Adding the session code should help, but you should add more checks. Bil
> and I were just discussing this yesterday in regards to CKEditor
> instances (not the filemanager). You could use a token to verify that
> the request to upload a file came from the proper user within a proper
> timeframe.
> http://old.nabble.com/Getting-CKEditor-to-display-Lasso-code-in-Source-Editor-tt27894216.html

For this specific project I only need the site administrators to be able
to upload files. I think using lasso sessions should be secure enough
(it uses a 'token' and sessions time out after a while too). I tested
the changes I made by going to the url without being logged in, and I
couldn't upload things, but since I'm not familiar with the code I'm not
sure if I plugged all the holes. I'll take another look.

> Also I contributed some code to limit file uploads to explicit file
> extensions, but I don't think it made it to the repo.
> http://forum.filemanager.corefive.com/topic/restrict-file-upload-by-file-extension-in-lasso

I was going to write my own whitelist thing (even though the users are
trusted, it's still not a good idea to allow people to upload .lasso or
.php files ;-) ), so thanks for sending me this :) .

If I get around to writing image resize code I'll post it somewhere too,
but I'll try to see if they can handle resizing before uploading first.

> --steve

Jonathan

--
Jonathan Vanherpe - Tallieu & Tallieu nv - [hidden email]

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: CKEditor FileManager

jasonhuck
There is a *huge* laundry list of stuff I need to commit back to the
repository, but I have no time to do it, and no one to help me with
it, currently.

- jason





On Tue, Mar 16, 2010 at 8:29 AM, Jonathan Vanherpe (T & T nv)
<[hidden email]> wrote:

> Steve Piercy - Web Site Builder wrote:
>>
>> On 3/16/10 at 11:28 AM, [hidden email] (Jonathan Vanherpe (T & T nv))
>> pronounced:
>>
>>> I've been playing with corefive's FileManager for CKEditor (Thanks a
>>> lot for releasing this to the community, Jason). I've set it up but I
>>> have a question about security:
>>>
>>> The default setup is that basically everyone that has the URL for the
>>> filemanager can upload and delete files. I've included the website's
>>> session/authentication code in
>>> filemanager/connectors/lasso/filemanager.lasso and
>>> filemanager/scripts/jquery.filetree/connectors/jqueryFileTree.lasso ,
>>> and I was wondering if this was enough to properly secure the upload
>>> folder, or if I need to add more checks.
>>
>> I assume you mean this instead:
>>
>> "everyone that [is authenticated and] has the URL for the
>> filemanager can upload and delete files."
>
> No, just having the url is enough unless you use http authentication to
> remove access to the whole folder that contains the filemanager code.
>
>> AFAIK, there is no built-in security for the filemanager.
>
> That explains why I didn't find any ;-) . IIRC the old php filemanager for
> FCKeditor had this function that basically said 'insert your site
> authentication here'. This seemed like a better approach to integrating with
> site authentication systems.
>
>> Adding the session code should help, but you should add more checks. Bil
>> and I were just discussing this yesterday in regards to CKEditor
>> instances (not the filemanager). You could use a token to verify that
>> the request to upload a file came from the proper user within a proper
>> timeframe.
>>
>> http://old.nabble.com/Getting-CKEditor-to-display-Lasso-code-in-Source-Editor-tt27894216.html
>
> For this specific project I only need the site administrators to be able to
> upload files. I think using lasso sessions should be secure enough (it uses
> a 'token' and sessions time out after a while too). I tested the changes I
> made by going to the url without being logged in, and I couldn't upload
> things, but since I'm not familiar with the code I'm not sure if I plugged
> all the holes. I'll take another look.
>
>> Also I contributed some code to limit file uploads to explicit file
>> extensions, but I don't think it made it to the repo.
>>
>> http://forum.filemanager.corefive.com/topic/restrict-file-upload-by-file-extension-in-lasso
>
> I was going to write my own whitelist thing (even though the users are
> trusted, it's still not a good idea to allow people to upload .lasso or .php
> files ;-) ), so thanks for sending me this :) .
>
> If I get around to writing image resize code I'll post it somewhere too, but
> I'll try to see if they can handle resizing before uploading first.
>
>> --steve
>
> Jonathan
>
> --
> Jonathan Vanherpe - Tallieu & Tallieu nv - [hidden email]
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>
>



--
tagSwap.net :: Open Source Lasso Code
<http://tagSwap.net/>

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: CKEditor FileManager

stevepiercy
In reply to this post by Jonathan Vanherpe (T & T NV)
On 3/16/10 at 1:29 PM, [hidden email] (Jonathan Vanherpe (T & T
nv)) pronounced:

>Steve Piercy - Web Site Builder wrote:
>>On 3/16/10 at 11:28 AM, [hidden email] (Jonathan Vanherpe (T & T nv))
>>pronounced:
>>
>>>I've been playing with corefive's FileManager for CKEditor (Thanks a
>>>lot for releasing this to the community, Jason). I've set it up but I
>>>have a question about security:
>>>
>>>The default setup is that basically everyone that has the URL for the
>>>filemanager can upload and delete files. I've included the website's
>>>session/authentication code in
>>>filemanager/connectors/lasso/filemanager.lasso and
>>>filemanager/scripts/jquery.filetree/connectors/jqueryFileTree.lasso ,
>>>and I was wondering if this was enough to properly secure the upload
>>>folder, or if I need to add more checks.
>>
>>I assume you mean this instead:
>>
>>"everyone that [is authenticated and] has the URL for the
>>filemanager can upload and delete files."
>
>No, just having the url is enough unless you use http authentication
>to remove access to the whole folder that contains the filemanager
>code.

So what would prevent anyone who is not authenticated from
attacking the filemanager upload script?  I'm not really clear here.

>>AFAIK, there is no built-in security for the filemanager.
>
>That explains why I didn't find any ;-) . IIRC the old php filemanager
>for FCKeditor had this function that basically said 'insert your site
>authentication here'. This seemed like a better approach to
>integrating with site authentication systems.

Well, there might be, I don't know.  That's why I rolled my own.

>>Adding the session code should help, but you should add more checks. Bil
>>and I were just discussing this yesterday in regards to CKEditor
>>instances (not the filemanager). You could use a token to verify that
>>the request to upload a file came from the proper user within a proper
>>timeframe.
>>http://old.nabble.com/Getting-CKEditor-to-display-Lasso-code-in-Source-Editor-tt27894216.
>html
>
>For this specific project I only need the site administrators to be
>able to upload files. I think using lasso sessions should be secure
>enough (it uses a 'token' and sessions time out after a while too). I
>tested the changes I made by going to the url without being logged in,
>and I couldn't upload things, but since I'm not familiar with the code
>I'm not sure if I plugged all the holes. I'll take another look.

Do you make a distinction between site admins, other
authenticated users and anonymous users in regards to the
filemanager access?

How do you generate the token on the form?

Does the upload processing script ensure the token is valid?

>>Also I contributed some code to limit file uploads to explicit file
>>extensions, but I don't think it made it to the repo.
>>http://forum.filemanager.corefive.com/topic/restrict-file-upload-by-file-extension-in-
>lasso
>
>I was going to write my own whitelist thing (even though the users are
>trusted, it's still not a good idea to allow people to upload .lasso
>or .php files ;-) ), so thanks for sending me this :) .

You're welcome!

>If I get around to writing image resize code I'll post it somewhere
>too, but I'll try to see if they can handle resizing before uploading
>first.

I have some procedural code I can share.  It's part of what I
have been working on for a better AJAX uploader using this
doohickey in Lasso:
http://www.zurb.com/playground/ajax_upload

The docs for that are suboptimal, so go here for better docs:
http://valums.com/ajax-upload/

Anyway, all the AJAX stuff aside, I use shell from tagswap.net
and its dependencies to resize images with ImageMagick.  The
code below for Mac OS X:

* processes uploaded images
* saves the original image
* resizes the image to 2 sizes (you can add/remove as many as
you need)
* restricts the image height or width to a largest dimension
* for the smallest thumbnail image, a shell script takes the
100x100pixel thumbnail and pads it with a white border to make
it square.  This has the advantage of never having to look up
dimension attributes of the uploaded image because it will
always be 100x100 pixels.
* lacks any security and should not be used in production until
it is secured

=======================================

var(
     'nm'        = string,   // define a method to name your images
     'error'     = string,
     'msg'       = string,
     'files'     = file_uploads,
     'dest'      = '/filemanager/UserFiles/',    // webroot of
all file types
     'origpath'  = 'orig/',  // path to store uploaded orginal images
     'size1'     = 600,      // set to be the largest dimension
in pixels
     'size2'     = 100,      // set to be the next largest
dimension in pixels
// add other sizes and modify code as needed
     'imgh'      = integer,
     'imgw'      = integer,
     'i'         = null
);

inline(...your inline params...);
if($files->size > 0);

     $msg += 'File uploaded';

     iterate($files, $i);
         var('filetype')     = $i->find('type');
//      var('origname')     = $i->find('OrigName'); // lazy
man's way to name images
         var('origname')     = $nm+'.jpg';
         var('filesize')     = $i->find('Size');
         var('origextension')    = $i->find('OrigExtension');

         file_copy(
             $i->find('Upload.Name'),
             $dest+$origpath+$origname,
             -FileOverWrite
         );

         file_currenterror(-errorcode )!='0' ? $error += 'Lasso
:'+error_code ': ' error_msg;

         if($filetype >> 'image');
             var('upimg') = image($dest + $origpath + $origname);
             $imgh = $upimg->height;
             $imgw = $upimg->width;

             if(
                 $imgh > $size1 ||
                 $imgw > $size1
             );
                 // scale to size1
                 if($imgh > $imgw);
                     // scale to height
                     $upimg->scale(-height=$size1, -sample);
                 else;
                     // scale to width
                     $upimg->scale(-width=$size1, -sample);
                 /if;
             /if;
             $upimg->save(($dest + $size1 + 'x' + $size1 + '/' +
$origname), -quality=80);

             if(
                 $imgh > $size2 ||
                 $imgw > $size2
             );
                 // scale to size2
                 if($imgh > $imgw);
                     // scale to height
                     $upimg->scale(-height=$size2, -sample);
                 else;
                     // scale to width
                     $upimg->scale(-width=$size2, -sample);
                 /if;
             /if;
             $upimg->save(($dest + $size2 + 'x' + $size2 + '/' +
$origname), -quality=80);

             shell('/Applications/Lasso\\ Professional\\
8/LassoImageMagick.6/bin/convert  -thumbnail 100x100  
-bordercolor white  -border 200  -gravity center  -crop
100x100+0+0 +repage
/Library/WebServer/Documents/YOURSITE'+($dest + $size2 + 'x' +
$size2 + '/' + $origname) + '
/Library/WebServer/Documents/YOURSITE'+($dest + $size2 + 'x' +
$size2 + '/' + $origname));

         else($filetype >> 'application');
             //many things to do then...
             //depending on the file's type
         /if;
         error_code != '0' ? $error += 'Lasso :'+error_code ': ' error_msg;
     /iterate;
else;
     $error += $error+' Error : no uploaded file. ';
/if;
/inline;

=======================================

--steve

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
-- --
Steve Piercy               Web Site Builder              
Soquel, CA
<[hidden email]>                  <http://www.StevePiercy.com/>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: CKEditor FileManager

Jonathan Vanherpe (T & T NV)
Steve Piercy - Web Site Builder wrote:

> On 3/16/10 at 1:29 PM, [hidden email] (Jonathan Vanherpe (T & T nv))
> pronounced:
>
>> Steve Piercy - Web Site Builder wrote:
>>> On 3/16/10 at 11:28 AM, [hidden email] (Jonathan Vanherpe (T & T nv))
>>> pronounced:
>>>
>>>
>>> I assume you mean this instead:
>>>
>>> "everyone that [is authenticated and] has the URL for the
>>> filemanager can upload and delete files."
>>
>> No, just having the url is enough unless you use http authentication
>> to remove access to the whole folder that contains the filemanager
>> code.
>
> So what would prevent anyone who is not authenticated from attacking the
> filemanager upload script? I'm not really clear here.
>
Nothing is preventing anyone from uploading anything if you just check
out the script from svn and dump it in your website, which is the whole
reason I started this thread.

Jonathan
--
Jonathan Vanherpe - Tallieu & Tallieu nv - [hidden email]

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/