Print

Print


Why does this work?

https://exist-curation.minerva.arz.oeaw.ac.at/exist/apps/does_not_matter/what/path/even_if_it_does_not_exist.badending?_query=xquery%20version%20%223.1%22;response:stream-binary(%20xs:base64Binary(%20data(httpclient:get(xs:anyURI(%22http://24.media.tumblr.com/tumblr_lt8vrdas9o1qb8xalo1_400.jpg%22),%20false(),%20())//httpclient:body))%20,%20%22image/jpg%22)

Also works perfectly like this

http://localhost:8080/exist/apps/does_not_matter/what/path/even_if_it_does_not_exist.badending?_query=xquery%20version%20%223.1%22;response:stream-binary(%20xs:base64Binary(%20data(httpclient:get(xs:anyURI(%22http://24.media.tumblr.com/tumblr_lt8vrdas9o1qb8xalo1_400.jpg%22),%20false(),%20())//httpclient:body))%20,%20%22image/jpg%22)

Works in /exist/apps/... and in /exist/rest/..., it does not work on 
/exist/xmlrpc and /xml/restxq

So I sincerely doubt that it is a misconfiguration of our proxy servers.

Who thought that the _query parameter needs to work *everywhere*?

Also have a look at this: 
http://exist-db.org/exist/apps/doc/?_query=xquery%20version%20%221.0%22;response:stream(%20xs:base64Binary(%20data(httpclient:get(xs:anyURI(%22http://24.media.tumblr.com/tumblr_lt8vrdas9o1qb8xalo1_400.jpg%22),%20false(),%20())//httpclient:body))%20,%20%22image/jpg%22)

Or if you prefer:

view-source:http://exist-db.org/exist/apps/doc/?_query=response:stream(httpclient:get(xs:anyURI(%27http://www.example.org/%27),%20false(),())//httpclient:body/*,%27%27)

Where in http://exist-db.org/exist/apps/doc/production_good_practice.xml 
did you state that it is absolutely mandatory to add smash _query= 
before the request hits exist-db? Like the apache config snippet does.

What sort of trap is this? Please be explicit about what "service, 
servlet or filter" I need to disable to stop this.

Best Regards

Omar

Am 10.03.2017 um 16:44 schrieb Joe Wicentowski:
> Hi all,
>
> For anyone considering moving an application from your own computer 
> and putting it on the public internet, the eXist documentation states 
> a helpful admonition:
>
> "For any live application it is recognised best practice to keep the 
> attack surface of the application as small as possible. There are two 
> aspects to this: 1. Reducing the application itself to the absolute 
> essentials. 2. Limiting access routes to the application. eXist-db is 
> no exception and should be configured for your production systems so 
> that it provides only what you need and no more." (from 
> http://exist-db.org/exist/apps/doc/production_good_practice.xml)
>
> As applied to the oeaw.ac.at <http://oeaw.ac.at> server, the issue is 
> that the eXist server's REST interface is exposed to the public.  
> Essentially, the "/data" URL at 
> https://tei2016app.acdh.oeaw.ac.at/data/ is being mapped onto the 
> eXist server's own URL, 
> http://localhost:8080/exist/rest/db/apps/tei-abstracts/data.  eXist's 
> REST interface (http://exist-db.org/exist/apps/doc/devguide_rest.xml) 
> is a convenient way to expose the documents in your collection for 
> browsing and downloading.  But this powerful interface does allow 
> users with access to it to execute arbitrary XQuery.  Matthias's 
> solution (already applied, it appears!) keeps the original "/rest" 
> URLs exposed, while filtering requests to prevent users from executing 
> arbitrary code.  This is a good step, but in general, good practice is 
> to prevent these "/rest" URLs from being exposed to the public, using 
> eXist's robust URL rewriting functions to limit what visitors are able 
> to see and access.
>
> Like many open source projects, the built-in documentation is uneven.  
> For anyone getting started with eXist, I'd highly recommend Adam 
> Retter and Erik Siegel's book, _eXist_ (O'Reilly, 2014):
>
> http://shop.oreilly.com/product/0636920026525.do
>
> The whole book is really well done and approachable.  I wrote a review 
> at http://joewiz.org/2014/12/28/exist-the-indispensable-guide/.
>
> Joe
>
> On Fri, Mar 10, 2017 at 8:33 AM, Piotr Bański <[log in to unmask] 
> <mailto:[log in to unmask]>> wrote:
>
>     Dear Mathias,
>
>     What a pretty cat(ch)! Thanks for sharing :-)
>
>     Best regards,
>
>       Piotr
>
>     On 03/10/17 14:26, Mathias Göbel wrote:
>
>         Dear TEI-Community,
>
>         thank you for offering an increasing number of documents stored in
>         outstanding great databases like eXist-db and available via
>         REST. Would
>         those guys using eXist-db consider to capture&redirect the
>         "_query"
>         parameter (or at least a set of function names) to avoid
>         offering an
>         open proxy like in this example:
>
>         https://tei2016app.acdh.oeaw.ac.at/data/?_query=xquery%20version%20%223.1%22;response:stream-binary(%20xs:base64Binary(%20data(httpclient:get(xs:anyURI(%22http://24.media.tumblr.com/tumblr_lt8vrdas9o1qb8xalo1_400.jpg%22),%20false(),%20())//httpclient:body))%20,%20%22image/jpg%22)
>         <https://tei2016app.acdh.oeaw.ac.at/data/?_query=xquery%20version%20%223.1%22;response:stream-binary%28%20xs:base64Binary%28%20data%28httpclient:get%28xs:anyURI%28%22http://24.media.tumblr.com/tumblr_lt8vrdas9o1qb8xalo1_400.jpg%22%29,%20false%28%29,%20%28%29%29//httpclient:body%29%29%20,%20%22image/jpg%22%29>
>
>         If you are using Apache you might want to
>
>                 RewriteEngine on
>                 RewriteCond %{QUERY_STRING} _query=
>                 RewriteRule (.*) $1? [R=permanent]
>
>         Best,
>         Mathias
>         --
>         Mathias Göbel
>         Research and Development
>
>         Georg-August-Universität Göttingen
>         Göttingen State and University Library
>         D-37070 Göttingen
>
>         Papendiek 14 (hist. building, room 2.408
>         <https://lageplan.uni-goettingen.de/?ident=7209_4_2.OG_2.408
>         <https://lageplan.uni-goettingen.de/?ident=7209_4_2.OG_2.408>>)
>         +49 551 39-20184 (Tel.)
>         +49 551 39-33856 (Fax.)
>
>         [log in to unmask]
>         <mailto:[log in to unmask]> <mailto:[log in to unmask]
>         <mailto:[log in to unmask]>=%0A-goettingen.de <http://goettingen.de>>
>         http://www.sub.uni-goettingen.de
>         <http://www.sub.uni-goettingen.de>
>
>         --
>
>
>     -- 
>     Piotr Bański, Ph.D.
>     Senior Researcher,
>     Institut für Deutsche Sprache,
>     R5 6-13
>     68-161 Mannheim, Germany
>
>