[imp] RFC: is this a secure wvHtml image temp file workaround?

Kevin Myer kevin_myer at iu13.org
Sat Apr 2 06:37:17 PST 2005 

Hello,

I got tired of seeing the 0x08 grahic inside a box for Word documents viewed
with wvHTML last night, so I attempted to figure out a way to resolve that
issue.

So I got something that worked last night and was pleased to see graphics.  This
morning I was looking to see if an issue I'm having with Firefox showing my
INBOX in a compressed mode was in the IMP bug database and came across ticket
1586.  So I'm having my doubts that what I did to get images is actually a
secure way of doing things but thats why I'd like some review.  And I can't
remember if I hacked something in wvHtml or IMP or Horde somewhere back and
forgot about it and its actually my old hack that's making things work :)

This morning, I found in the archives that Eric Rostetter is doing something
similar (http://marc.theaimsgroup.com/?l=imp&m=104508515410276&w=2).  I've seen
various discussion about the security implications of the ways to solve the
Word image viewing problem, so I'd like someone to point out what's insecure
about the following recipe.

First, configure $conf['tmpdir'] in horde/conf.php (you wouldn't have to but its
probably a good idea to use something other than /tmp).  Make sure that
$conf['tmpdir'] is outside your DocumentRoot.

Second, (obviously) make sure you have horde/mime_drivers.php configured to use
wvHtml for msword documents.

Third, add a RewriteRule to Apache:

RewriteRule ^$webroot/imp/msword(.+) $conf['tmpdir']/msword$1 [L]

Set $webroot to whatever you have configured as $webroot in horde/registry.php
and set $conf['tmpdir'] to whatever you have configured, as noted above, in
horde/conf.php.

Example: if using a webroot of '' (i.e. where you're using a DocumentRoot of
"/var/www/virtualdomains/yourdomain/horde" and an Alias of /horde/
"/var/www/virtualdomains/yourdomain/horde"), and a $conf['tmpdir'] of
/var/www/virtualdomains/yourdomain/tmp, this becomes:

RewriteRule ^/imp/msword(.+) /var/www/virtualdomains/yourdomain/tmp/msword$1 [L]

Fourth (also hopefully, obviously), restart Apache.

Fifth, view Word documents with graphics and see the images :)

The only caveat I see is that someone could make arbitrary requests for msword*
files and be able to access other users' images.  But they would have to guess
the temporary file names to do that

But it can't be that simple can it?  What am I missing?

Kevin

-- 
Kevin M. Myer
Senior Systems Administrator
Lancaster-Lebanon Intermediate Unit 13
(717) 560-6140

More information about the imp mailing list