openrat-cms

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs
commit b5a619a3c20f775146895c2840bc35bcdecb71b0
parent db77203231375309af596594bdbab0ac29015c2d
Author: dankert <devnull@localhost>
Date:   Sat, 27 Jan 2007 00:00:12 +0100

*** empty log message ***

Diffstat:

doc/examples/mod-security.conf | 57+++++++++++++++++++++++++++++++++++++++------------------


1 file changed, 39 insertions(+), 18 deletions(-)

diff --git a/doc/examples/mod-security.conf b/doc/examples/mod-security.conf
@@ -65,37 +65,54 @@
 
 
 
-    # Parameter Whitelist
-    SecFilterSelective ARGS_NAMES "!^(targetSubAction|subaction|action|oi|id|login_name|login_password|elementid|dbid|ok|screenwidth|src|text|obj[0-9]+|type|valueid|release|objectid1|objectid2|commit|ids|groupid|username|name|fullname|desc|description|templateid|tel|ldap_dn|style|is_admin|ok|act_password|password1?|password2|e?mail|random|timeout|code|confirm|addelement|addicon|addifempty|addifnotempty|elementid|iconid|ifemptyid|ifnotemptyid|with_icon|all_languages|writable|wiki|html|default_longtext)$"
-
-
+    # Parameter Whitelist (to be done, need a good way)
+    #SecFilterSelective ARGS_NAMES "!^(targetSubAction|subaction|action|oi|id)$" chain
+    #SecFilterSelective ARGS_NAMES "!^(login_name|login_password)$" chain
+    #SecFilterSelective ARGS_NAMES "!^(elementid|dbid|ok|screenwidth|src|text)$" chain
+    #SecFilterSelective ARGS_NAMES "!^(obj[0-9]+|type|valueid|release|objectid1|objectid2|commit|ids)$" chain
+    #SecFilterSelective ARGS_NAMES "!^(groupid|username|name|fullname|desc|description|templateid)$" chain
+    #SecFilterSelective ARGS_NAMES "!^(tel|ldap_dn|style|is_admin|ok|act_password|password1?|password2|e?mail|random|timeout|code|confirm)$" chain
+    #SecFilterSelective ARGS_NAMES "!^(addelement|addicon|addifempty|addifnotempty|elementid|iconid|ifemptyid|ifnotemptyid|with_icon|all_languages|writable|wiki|html|default_longtext|subtypes|subtype)$" chain
+    #SecFilterSelective ARGS_NAMES "!^(target_dir|ftp_url|ftp_passive|cmd_after_publish|content_negotiation|cut_index)$"
+    
+    SecFilterSelective ARGS_NAMES "!^[a-z][a-z0-9_]*[0-9]*$" 
 
     # Einzelne Parameter
     SecFilterSelective ARG_id "!^[0-9-]*$"
+
+    # Session-Id (ggf. anzupassen)    
+    SecFilterSelective ARG_oi        "!^[a-f0-9]*$"
+    SecFilterSelective ARG_PHPSESSID "!^[a-f0-9]*$"
+    SecFilterSelective ARG_sessionid "!^[a-f0-9]*$"
+    SecFilterSelective ARG_sid       "!^[a-f0-9]*$"
     
-    SecFilterSelective ARG_login_name "!^[A-Za-z0-9_-]*$"
+    SecFilterSelective ARG_login_name     "!^[A-Za-z0-9_-]*$"
     SecFilterSelective ARG_login_password "!^[A-Za-z0-9_-]*$"
-    SecFilterSelective ARG_password1 "!^[A-Za-z0-9_-]*$"
-    SecFilterSelective ARG_password2 "!^[A-Za-z0-9_-]*$"
+    SecFilterSelective ARG_password1      "!^[A-Za-z0-9_-]*$"
+    SecFilterSelective ARG_password2      "!^[A-Za-z0-9_-]*$"
+    SecFilterSelective ARG_password       "!^[A-Za-z0-9_-]*$"
     
     SecFilterSelective ARG_action "!^[a-z]*$"
     SecFilterSelective ARG_subaction "!^[a-z]*$"
 
-    SecFilterSelective ARG_oi "!^[a-f0-9]*$"
     SecFilterSelective ARG_elementid "!^[0-9]*$"
     SecFilterSelective ARG_objectid1 "!^[0-9]*$"
     SecFilterSelective ARG_objectid2 "!^[0-9]*$"
     SecFilterSelective ARG_dbid "!^[a-zA-Z0-9_-]*$"
-    SecFilterSelective ARG_tel "!^[a-zA-Z0-9_-]*$"
+    SecFilterSelective ARG_tel "!^[a-zA-Z0-9_ -]*$"
     SecFilterSelective ARG_desc "!^[a-zA-Z0-9_-]*$"
     SecFilterSelective ARG_mail "!^[a-zA-Z0-9_\.@-]*$"
 
     SecFilterSelective ARG_style "!^[a-zA-Z0-9_-]*$"
-    SecFilterSelective ARG_ldap_dn "!^[a-zA-Z0-9_=;-]*$"
+    SecFilterSelective ARG_ldap_dn "!^[a-zA-Z0-9_=;,-]*$"
     SecFilterSelective ARG_is_admin "!^1?$"
     SecFilterSelective ARG_email "!^1?$"
     SecFilterSelective ARG_random "!^1?$"
     SecFilterSelective ARG_timeout "!^1?$"
+    SecFilterSelective ARG_cut_index "!^1?$"
+    SecFilterSelective ARG_content_negotiation "!^1?$"
+    SecFilterSelective ARG_ftp_passive "!^1?$"
+    #SecFilterSelective ARG_cmd_after_publish "!^[a-zA-Z0-9_\/]+$"
 
 
     
@@ -104,7 +121,10 @@
     SecFilterSelective ARG_subaction "^(|project|object|projectmenu|administration|changepassword|register|registercode|registercommit|password|showlogin|login|logout|setnewpassword)$" allow
 
     SecFilterSelective ARG_action "^folder$" chain
-    SecFilterSelective ARG_subaction "^(|show|save|create|pub|prop|rights|createnewpage|createnewfolder|createnewlink|createnewfile|edit|changesequence|multiple)$" allow
+    SecFilterSelective ARG_subaction "^(|show|save|create|pub|prop|saveprop|rights|createnewpage|createnewfolder|createnewlink|createnewfile|edit|changesequence|multiple|order|settop|setbottom|select)$" allow
+
+    SecFilterSelective ARG_action "^(file|page|link|folder)$" chain
+    SecFilterSelective ARG_subaction "^(|aclform|addacl|delacl|pubnow)$" allow
 
     SecFilterSelective ARG_action "^page$" chain
     SecFilterSelective ARG_subaction "^(|show|save|edit|el|pub|prop|src|rights)$" allow
@@ -113,13 +133,13 @@
     SecFilterSelective ARG_subaction "^(|show|save|pub|prop|rights)$" allow
 
     SecFilterSelective ARG_action "^link$" chain
-    SecFilterSelective ARG_subaction "^(|show|save|pub|prop|rights)$" allow
+    SecFilterSelective ARG_subaction "^(|show|edit|save|pub|prop|rights)$" allow
 
     SecFilterSelective ARG_action "^pageelement$" chain
-    SecFilterSelective ARG_subaction "^(|save|editlink|editlongtext|archivelink|archivelongtext|diff)$" allow
+    SecFilterSelective ARG_subaction "^(|save|editlink|editlongtext|archivelink|archivelongtext|diff|savelongtext)$" allow
 
     SecFilterSelective ARG_action "^(main|mainmenu)$" chain
-    SecFilterSelective ARG_subaction "^(folder|page|pageelement|file|link|template|language|model|search|project|user|group)$" allow
+    SecFilterSelective ARG_subaction "^(folder|page|pageelement|file|link|template|language|model|search|project|user|group|element)$" allow
     
     SecFilterSelective ARG_action "^template$" chain
     SecFilterSelective ARG_subaction "^(|prop|el|listing|show|edit|src|srcaddelement)$" allow
@@ -146,13 +166,13 @@
     SecFilterSelective ARG_subaction "^(|listing|add|edit|remove)$" allow
 
     SecFilterSelective ARG_action "^search$" chain
-    SecFilterSelective ARG_subaction "^(|prop|value)$" allow
+    SecFilterSelective ARG_subaction "^(|prop|content)$" allow
 
     SecFilterSelective ARG_action "^project$" chain
     SecFilterSelective ARG_subaction "^(|listing|edit|save|add|remove|maintanance)$" allow
 
     SecFilterSelective ARG_action "^user$" chain
-    SecFilterSelective ARG_subaction "^(|listing|edit|save|add|remove|groups|pw|rights|pwchange|addgrouptouser|delete)$" allow
+    SecFilterSelective ARG_subaction "^(|listing|edit|save|add|remove|groups|pw|rights|pwchange|addgrouptouser|adduser|delete)$" allow
 
     SecFilterSelective ARG_action "^group$" chain
     SecFilterSelective ARG_subaction "^(|listing|edit|save|add|remove|users)$" allow
@@ -161,13 +181,14 @@
     SecFilterSelective ARG_subaction "^(|saveprofile|savepw)$" allow
 
     SecFilterSelective ARG_action "^element$" chain
-    SecFilterSelective ARG_subaction "^(|saveproperties)$" allow
+    SecFilterSelective ARG_subaction "^(|properties|saveproperties|name|remove|type|delete)$" allow
 
 
 
     # Fallback: Alles ablehnen.
     # Temporär alles loggen und erstmal trotzdem erlauben.
-    SecFilter ".*" log,allow
+    #SecFilter ".*" log,allow
+    SecFilter ".*"