[4suite-dev] URIs in the repo, revisited (addendum)

Mike Olson Mike.Olson at fourthought.com
Wed Dec 11 18:43:49 MST 2002 

> > >From a security standpoint, a don't like the ability for documents to get 
> > access with the server's system access to a file on the host system.  Given 
> > that, it would then be possible to implement the file scheme as the way into 
> > the repository, since the file scheme is defined as as being machine 
> > dependent anyway.
> 
> I see the security implications, but I think that admins should be able
> to set security policy so that they can allow access to the local paths
> on machine at their discretion.  This is similar to the Java run time
> approach.

I don't think that they can.  Unless we add a "LocalDocumentRoot"
configuration option.

> 
> I do not think we should use file: URLs to mean repo paths.  It would
> not be illegal, but I think it would be confusing.  I certainly think of
> file URLs separately than I think of repo paths.

I agree.  Also, it could be desirable to allow file URIs to access the
local machine.

> 
> I do think I have a compromise, though.
> 
> Why don't we define a "virtual" host name for the repo, which the user
> sets up at 4ss init time (we can offer a default, such as "4ssrepo"
> 
> Then we can use file:// URLs for the repo, but using the special host
> name:
> 
> file://4ssrepo/ftss/data
> 
> Would point to what you expect
> 
> file:///home and the dodgy file:/home
> 
> Would still be local paths, even though they may be blocked by security
> policy.
> 

I don't like this.  too confusing.  I think we should either allow or
not allow access to the local file system.  If we allow access then we
need to allow sys admins a way to restrict access to portions of the
file system.

Mike

> 
> -- 
> Uche Ogbuji                                    Fourthought, Inc.
> http://uche.ogbuji.net    http://4Suite.org    http://fourthought.com
> Tour of 4Suite - http://www.xml.com/pub/a/2002/10/16/py-xml.html
> Proper XML Output in Python - http://www.xml.com/pub/a/2002/11/13/py-xml.html
> RSS for Python - http://www-106.ibm.com/developerworks/webservices/library/ws-pyth11.html
> Debug XSLT on the fly - http://www-106.ibm.com/developerworks/xml/library/x-debugxs.html
-- 
Mike Olson                                Principal Consultant
mike.olson at fourthought.com                +1 303 583 9900 x 102
Fourthought, Inc.                         http://Fourthought.com 
PO Box 270590,                            http://4Suite.org
Louisville, CO 80027-5009, USA
XML strategy, XML tools, knowledge management

More information about the 4suite-dev mailing list