Skip to content

Split archive browsing and administration/moderation

Along with #3951, I think there needs to be another split of swh-web: currently, it is used for both:

  1. browsing (highly-untrusted) content of the archive
  2. administrative stuff (save code now, add-forge ticketing, deposit, mailmaps)

This means XSS vulnerabilities in the former can grant attackers access to the latter, because they are on the same domain (shared cookies and sessions).

#4028 would make it harder to exploit this kind, but it is still a large attack surface.

See !741 (closed) and !89 (closed) for examples of such vulnerabilities, which would have had negligeable impact if privileged UIs were on a separate subdomain. (Note that, of course, issues like !99 (closed) and !1072 (closed) would not be mitigated by this; because they happen within administrative UIs)

Migrated from T4231 (view on Phabricator)

Edited by Phabricator Migration user
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information