Print

Print


Omar,

Could I propose that you post this question over on the eXist mailing
list?  The discussion here is getting a little off topic from TEI.  I
believe you're already subscribed to exist-open, but for anyone who isn't,
please join at https://lists.sourceforge.net/lists/listinfo/exist-open.

Joe

On Fri, Mar 10, 2017 at 11:07 AM, Omar Siam <[log in to unmask]> wrote:

> Why does this work?
>
> https://exist-curation.minerva.arz.oeaw.ac.at/exist/apps/
> does_not_matter/what/path/even_if_it_does_not_exist.
> badending?_query=xquery%20version%20%223.1%22;response:
> stream-binary(%20xs:base64Binary(%20data(httpclient:get(xs:
> anyURI(%22http://24.media.tumblr.com/tumblr_lt8vrdas9o1qb8xalo1_400.jpg%
> 22),%20false(),%20())//httpclient:body))%20,%20%22image/jpg%22)
>
> Also works perfectly like this
>
> http://localhost:8080/exist/apps/does_not_matter/what/path/
> even_if_it_does_not_exist.badending?_query=xquery%20vers
> ion%20%223.1%22;response:stream-binary(%20xs:base64Bina
> ry(%20data(httpclient:get(xs:anyURI(%22http://24.media.tumblr.com/tumblr_
> lt8vrdas9o1qb8xalo1_400.jpg%22),%20false(),%20())//
> httpclient:body))%20,%20%22image/jpg%22)
>
> Works in /exist/apps/... and in /exist/rest/..., it does not work on
> /exist/xmlrpc and /xml/restxq
>
> So I sincerely doubt that it is a misconfiguration of our proxy servers.
>
> Who thought that the _query parameter needs to work *everywhere*?
>
> Also have a look at this: http://exist-db.org/exist/apps
> /doc/?_query=xquery%20version%20%221.0%22;response:stream(%
> 20xs:base64Binary(%20data(httpclient:get(xs:anyURI(%22http:/
> /24.media.tumblr.com/tumblr_lt8vrdas9o1qb8xalo1_400.jpg%
> 22),%20false(),%20())//httpclient:body))%20,%20%22image/jpg%22)
>
> Or if you prefer:
>
> view-source:http://exist-db.org/exist/apps/doc/?_query=respo
> nse:stream(httpclient:get(xs:anyURI(%27http://www.example.
> org/%27),%20false(),())//httpclient:body/*,%27%27)
>
> Where in http://exist-db.org/exist/apps/doc/production_good_practice.xml
> did you state that it is absolutely mandatory to add smash _query= before
> the request hits exist-db? Like the apache config snippet does.
>
> What sort of trap is this? Please be explicit about what "service, servlet
> or filter" I need to disable to stop this.
>
> Best Regards
>
> Omar
> Am 10.03.2017 um 16:44 schrieb Joe Wicentowski:
>
> Hi all,
>
> For anyone considering moving an application from your own computer and
> putting it on the public internet, the eXist documentation states a helpful
> admonition:
>
> "For any live application it is recognised best practice to keep the
> attack surface of the application as small as possible. There are two
> aspects to this: 1. Reducing the application itself to the absolute
> essentials. 2. Limiting access routes to the application. eXist-db is no
> exception and should be configured for your production systems so that it
> provides only what you need and no more." (from
> http://exist-db.org/exist/apps/doc/production_good_practice.xml)
>
> As applied to the oeaw.ac.at server, the issue is that the eXist server's
> REST interface is exposed to the public.  Essentially, the "/data" URL at
> https://tei2016app.acdh.oeaw.ac.at/data/ is being mapped onto the eXist
> server's own URL, http://localhost:8080/exist/re
> st/db/apps/tei-abstracts/data.  eXist's REST interface (
> http://exist-db.org/exist/apps/doc/devguide_rest.xml) is a convenient way
> to expose the documents in your collection for browsing and downloading.
> But this powerful interface does allow users with access to it to execute
> arbitrary XQuery.  Matthias's solution (already applied, it appears!) keeps
> the original "/rest" URLs exposed, while filtering requests to prevent
> users from executing arbitrary code.  This is a good step, but in general,
> good practice is to prevent these "/rest" URLs from being exposed to the
> public, using eXist's robust URL rewriting functions to limit what visitors
> are able to see and access.
>
> Like many open source projects, the built-in documentation is uneven.  For
> anyone getting started with eXist, I'd highly recommend Adam Retter and
> Erik Siegel's book, _eXist_ (O'Reilly, 2014):
>
>   http://shop.oreilly.com/product/0636920026525.do
>
> The whole book is really well done and approachable.  I wrote a review at
> http://joewiz.org/2014/12/28/exist-the-indispensable-guide/.
>
> Joe
>
> On Fri, Mar 10, 2017 at 8:33 AM, Piotr Bański <[log in to unmask]>
> wrote:
>
>> Dear Mathias,
>>
>> What a pretty cat(ch)! Thanks for sharing :-)
>>
>> Best regards,
>>
>>   Piotr
>>
>> On 03/10/17 14:26, Mathias Göbel wrote:
>>
>>> Dear TEI-Community,
>>>
>>> thank you for offering an increasing number of documents stored in
>>> outstanding great databases like eXist-db and available via REST. Would
>>> those guys using eXist-db consider to capture&redirect the "_query"
>>> parameter (or at least a set of function names) to avoid offering an
>>> open proxy like in this example:
>>>
>>> https://tei2016app.acdh.oeaw.ac.at/data/?_query=xquery%20ver
>>> sion%20%223.1%22;response:stream-binary(%20xs:base64Binary(%
>>> 20data(httpclient:get(xs:anyURI(%22http://24.media.tumblr.co
>>> m/tumblr_lt8vrdas9o1qb8xalo1_400.jpg%22),%20false(),%20())/
>>> /httpclient:body))%20,%20%22image/jpg%22)
>>> <https://tei2016app.acdh.oeaw.ac.at/data/?_query=xquery%20version%20%223.1%22;response:stream-binary%28%20xs:base64Binary%28%20data%28httpclient:get%28xs:anyURI%28%22http://24.media.tumblr.com/tumblr_lt8vrdas9o1qb8xalo1_400.jpg%22%29,%20false%28%29,%20%28%29%29//httpclient:body%29%29%20,%20%22image/jpg%22%29>
>>>
>>> If you are using Apache you might want to
>>>
>>>         RewriteEngine on
>>>         RewriteCond %{QUERY_STRING} _query=
>>>         RewriteRule (.*) $1? [R=permanent]
>>>
>>> Best,
>>> Mathias
>>> --
>>> Mathias Göbel
>>> Research and Development
>>>
>>> Georg-August-Universität Göttingen
>>> Göttingen State and University Library
>>> D-37070 Göttingen
>>>
>>> Papendiek 14 (hist. building, room 2.408
>>> <https://lageplan.uni-goettingen.de/?ident=7209_4_2.OG_2.408>)
>>> +49 551 39-20184 (Tel.)
>>> +49 551 39-33856 (Fax.)
>>>
>>> [log in to unmask] <mailto:[log in to unmask]>
>>> http://www.sub.uni-goettingen.de
>>>
>>> --
>>>
>>
>> --
>> Piotr Bański, Ph.D.
>> Senior Researcher,
>> Institut für Deutsche Sprache,
>> R5 6-13
>> 68-161 Mannheim, Germany
>>
>
>
>