Fix the hsts bug #13

Closed
wants to merge 62 commits into
from

Conversation

Projects
None yet
5 participants
Member

skinkie commented Nov 13, 2011

As $subj

skinkie added some commits Oct 13, 2011

@skinkie skinkie Implements iterating over multiple source destinations. Will not work…
… in case of spanning interpreters.
bdaeaea
@skinkie skinkie Typo in Server String a329b42
@skinkie skinkie We don't use listener->server_string_ext so why keep it? c8be77e
@skinkie skinkie Implements/Ports; "Feature Request: Server Tokens" issue 438.
I took the liberty to port the proposed patch and extend its functionality beyond what is published to the outside. And including what is published to foreign
scripts and proxy hosts. The point is obviously be secure by default, the point of hiding it: make it a little bit harder to guess what is actually 'the default'.

http://code.google.com/p/cherokee/issues/detail?id=438
1d6ff06

alobbs commented on 1d6ff06 Oct 13, 2011

I do not like it. There are a whole lot f ways to identify the server, the token string is just the most obvious one, but there are many, MANY others.
In my opinion, trying to hide the Server is pointless and a lousy way to have a false sense of security. -1.

Owner

skinkie replied Oct 13, 2011

I think a few weeks on Slashdot I read an article that good security in addition to some obscurity gives the bests results. I am not pro-using it at all, but then again a user requested it, created a patch and I am just following up and incorporating it in my tree. Will it hurt Cherokee: probably not, is it an advise to run Cherokee like it: no.

http://news.slashdot.org/story/11/10/01/2034215/security-by-obscurity-a-new-theory

Thank you!

Will this be included in future releases ? Like skinkie said, it is "Security by Obscurity" - but this is definitely no powerful argument to not implement this patch for major releases too ...

skinkie and others added some commits Oct 13, 2011

@skinkie skinkie Introducing rule filetime; this rule allows to match on access, creat…
…ion or modification time changes. Originally written to be run on an OpenStreetMap tile

server, together with handler_tile. This code also introduces the ability to have 'beta' modules, which are only enabled using --enable-beta. An open case to
me if this is handled correctly in the admin. now.

http://code.google.com/p/cherokee/issues/detail?id=683
e7daa3d
@skinkie skinkie Implements handler_tile, to be used together with (a modified) form o…
…f renderd, allowing it to render meta tiles, but writing them out as single files.

Opposed to mod_tile which serves meta tiles, we might add this functionality later.

http://code.google.com/p/cherokee/issues/detail?id=683
4d1d238
@skinkie skinkie Implements handler_tile, to be used together with (a modified) form o…
…f renderd, allowing it to render meta tiles, but writing them out as single files.

Opposed to mod_tile which serves meta tiles, we might add this functionality later.

http://code.google.com/p/cherokee/issues/detail?id=683
d76faa4
@skinkie skinkie Merge branch 'master' of github.com:skinkie/webserver 0ceae65
@skinkie skinkie Implements handler_sphinx, a full-text search in the style of DBslaye…
…r, extensively used on openkvk.nl

TODO: configure.in needs some love to figure out where -lsphinxclient and sphinxclient.h is located, and the ability not to compile the handler.
TODO: we are currently not using a balancer scenario, but we might be able to do so.

http://code.google.com/p/cherokee/issues/detail?id=691
72dbee1
@skinkie skinkie Fixes the compilation if sphinxclient.h is not present. Basically jus…
…t prevents handler_sphinx to be compiled at all,

unless you know what you are doing. Hence chance have_sphinxclient to yes.
ce54e81
@skinkie skinkie We had a newer version of handler_tile already running on OpenStreetM…
…ap.nl
4c9c671
@skinkie skinkie Implements the ability to use ${passwd} inside the SQL query in valid…
…ator_mysql. Credits go to aaronh...@gmail.com.

http://code.google.com/p/cherokee/issues/detail?id=728
f61188f
@skinkie skinkie Partial Japanese translation provided by: lo...@hotmail.co.jp 61ac7f1
@skinkie skinkie Merge git://github.com/cherokee/webserver e471aa7
@skinkie skinkie Merge git://github.com/cherokee/webserver 4f17710
@skinkie skinkie Merge git://github.com/cherokee/webserver 4e28ff4
@alobbs alobbs The 1.2.102 cycle starts 433ed76
@pigmej @alobbs pigmej removed SVN infos from docs 2f11a32
@pigmej @alobbs pigmej added wget cmd to info about downloading master zip package 9fb91c8
@alobbs alobbs The latest release should be downloaded from cherokee-project.com. d0331db
@alobbs alobbs Merge branch 'bug-1288' into dev 494e927
@skinkie skinkie Merge git://github.com/cherokee/webserver 4f9f0e9
@skinkie skinkie Implements csv output. To use this effectively, the code that generat…
…es the output must be able to support "naive" output, headers only, etc. So this code is not some sort

of drop in and "ignoring" stuff.
9b08b1b
@skinkie skinkie Implements XML-RPC and some cleanups. Not tested yet. 0aa0b71
@skinkie skinkie Added the base64/datetime todo. 95fa5b1
@skinkie skinkie Fixed some compiler errors. fbb105d
@skinkie skinkie Adds XML-RPC to DBSlayer. bbae0ea
@skinkie skinkie Add XML-RPC to the admin. fc522d3
@skinkie skinkie Implements validator dummy. Validator dummy throws out validation, wh…
…ich can only be passed by by actually entering

something in the username/password fields. Empty throws an authentication required.
c5c0868
@alobbs alobbs Fixes some handling exception code. 83f6278
@skinkie skinkie Implements Dummy admin interface thingie. fda6ff4
@skinkie skinkie Implements handler_xslt for Cherokee. There can still be done some po…
…lishing, especially in the admin part regarding what does what. In the automake part.

But the thing seems to actually work.
2f32dac
@skinkie skinkie Merge git://github.com/cherokee/webserver 9436806
@alobbs alobbs Merge commit '57a0e2183b1b1d94cd941ef6a59f1dae16588698' into dev 3fcf5a3
@sciyoshi @alobbs sciyoshi Fix compatibility issue #11 when an empty POST request is sent to a f…
…lup-powered FastCGI backend
0aa97bb
@skinkie skinkie Fixes the admin bug with HSTS with subdomains. 49b2ea6
@skinkie skinkie Implements the correct usage of HSTS. 209e476
@skinkie skinkie HSTS admin fixup; I guess it is not very good if "One Year" is part o…
…f the config.
a7c57b8
@skinkie skinkie Implements Cipher Server Preference 5f238d9
@skinkie skinkie Merge https://github.com/cherokee/webserver 319c6f6

alobbs commented on a7c57b8 Nov 14, 2011

The default string should not by written to the configuration file.
Was it written to the configuration file, or you wrote the patch as a precaution measure?

Owner

skinkie replied Nov 14, 2011

Trust me it was written.

Just checked it. You are right, it does get written in the file.

The problem seems to be in how the information follows between CTK.Submiter() and CTK.TextField().
I'm applying your patch, so we stop this problem from happening any more while I try to come up with a solution for the issue in CTK.

Good stuff! :-)

The patch looks good except for that _("Prefer"). Would not something like "Activate" or "Enforce" be easier to understand?

Owner

skinkie replied Nov 14, 2011

You clearly don't like the influence of French in English ;)

alobbs and others added some commits Nov 15, 2011

@alobbs alobbs admin/wizards2 is not part of the project yet. 1d4f8a4
@skinkie @alobbs skinkie HSTS admin fixup; I guess it is not very good if "One Year" is part o…
…f the config.
99044fc
@alobbs alobbs Under some circunstances Cherokee 1.2.101 generated configuration
files in which the 'Max Age' propert of a HSTS entry could hold a
non-numeric value. This patch enhances the configuration file
migration tool to detect and fix such situation.
51e2ff1
@skinkie @alobbs skinkie Implements Cipher Server Preference d230685

This breaks the QAs.
What's the rational behind it?

Owner

skinkie replied Nov 18, 2011

alobbs commented on fbb105d Nov 18, 2011

Those lines are right. Mind the semicolon that follows every single instance of those macros.
Actually, having two semicolons (;;) would throw errors/warnings in some compilers like Sun CC.

It is tricky and you could say it's kinda dirty, and you would be right. However, those semicolons are not required. :)

Owner

skinkie replied Nov 18, 2011

Thanks. I see what you mean.

Member

skinkie commented Nov 22, 2011

HSTS bug fixed.

skinkie closed this Nov 22, 2011

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment