Opened 10 years ago
Last modified 3 years ago
#878 new enhancement
block system commands
| Reported by: | kjdon | Owned by: | nobody |
|---|---|---|---|
| Priority: | moderate | Milestone: | 3.11 Release |
| Component: | Greenstone3 Runtime | Severity: | enhancement |
| Keywords: | Cc: |
Description
Currently anyone can run system commands and reload/delete collections etc. Make this more secure.
Simple solution: Make it only available when logged in as admin.
More flexible solution: Have a setting for system commands:
- allow none
- allow all
- allow only admin users
Change History (2)
comment:1 by , 8 years ago
comment:2 by , 3 years ago
| Milestone: | 3.10 Release → 3.11 Release |
|---|
Ticket retargeted after milestone closed
Note:
See TracTickets
for help on using tickets.
Also, Georgy pointed out that urls like the following are not secure.
http://127.0.0.1:8383/greenstone3/library?a=g&rt=r&ro=1&s=BuildAndActivateCollection&s1.collection=admin-test2 http://127.0.0.1:8383/greenstone3/cgi-bin/metadata-server.pl?a=set-archives-metadata&c=admin-test2&site=localsite&d=HASH018ddaf486549bb01f6a3b8d&metaname=hastxt&metavalue=5&prevmetavalue=3&metamode=override