Hi all,

For anyone considering moving an application from your own computer and putting it on the public internet, the eXist documentation states a helpful admonition: 

"For any live application it is recognised best practice to keep the attack surface of the application as small as possible. There are two aspects to this: 1. Reducing the application itself to the absolute essentials. 2. Limiting access routes to the application. eXist-db is no exception and should be configured for your production systems so that it provides only what you need and no more." (from http://exist-db.org/exist/apps/doc/production_good_practice.xml)

As applied to the oeaw.ac.at server, the issue is that the eXist server's REST interface is exposed to the public.  Essentially, the "/data" URL at https://tei2016app.acdh.oeaw.ac.at/data/ is being mapped onto the eXist server's own URL, http://localhost:8080/exist/rest/db/apps/tei-abstracts/data.  eXist's REST interface (http://exist-db.org/exist/apps/doc/devguide_rest.xml) is a convenient way to expose the documents in your collection for browsing and downloading.  But this powerful interface does allow users with access to it to execute arbitrary XQuery.  Matthias's solution (already applied, it appears!) keeps the original "/rest" URLs exposed, while filtering requests to prevent users from executing arbitrary code.  This is a good step, but in general, good practice is to prevent these "/rest" URLs from being exposed to the public, using eXist's robust URL rewriting functions to limit what visitors are able to see and access.

Like many open source projects, the built-in documentation is uneven.  For anyone getting started with eXist, I'd highly recommend Adam Retter and Erik Siegel's book, _eXist_ (O'Reilly, 2014):


The whole book is really well done and approachable.  I wrote a review at http://joewiz.org/2014/12/28/exist-the-indispensable-guide/.  


On Fri, Mar 10, 2017 at 8:33 AM, Piotr Bański <[log in to unmask]> wrote:
Dear Mathias,

What a pretty cat(ch)! Thanks for sharing :-)

Best regards,


On 03/10/17 14:26, Mathias Göbel wrote:
Dear TEI-Community,

thank you for offering an increasing number of documents stored in
outstanding great databases like eXist-db and available via REST. Would
those guys using eXist-db consider to capture&redirect the "_query"
parameter (or at least a set of function names) to avoid offering an
open proxy like in this example:


If you are using Apache you might want to

        RewriteEngine on
        RewriteCond %{QUERY_STRING} _query=
        RewriteRule (.*) $1? [R=permanent]

Mathias Göbel
Research and Development

Georg-August-Universität Göttingen
Göttingen State and University Library
D-37070 Göttingen

Papendiek 14 (hist. building, room 2.408
+49 551 39-20184 (Tel.)
+49 551 39-33856 (Fax.)

[log in to unmask] <mailto:[log in to unmask]=%0A-goettingen.de>


Piotr Bański, Ph.D.
Senior Researcher,
Institut für Deutsche Sprache,
R5 6-13
68-161 Mannheim, Germany