[MLton] MLton wiki

Stephen Weeks MLton@mlton.org
Thu, 28 Oct 2004 13:57:50 -0700


> While I agree with your view on the openness of editing the content
> of the wiki, I feel that allowing arbitrary uploads of binary files
> is too much of a security risk.  Anyone can replace the official
> MLton distributions with trojaned copies.  

I agree that there is a problem, but I don't see that it is caused (or
made significantly worse) by allowing file attachments.  Even without
attachments, it is easy for a malicious user to put a binary file
somewhere else on the web and to change the Download page to point to
that external file.

> Even if you restricted those files, the wiki could be edited in
> other places to make it appear as if a particular file was official.
> This is especially bad as the wiki mostly appears like a regular web
> page.

True.

As an intermediate solution, I could restrict the Download and
Experimental pages to be modified only by trusted users.  But this
still allows a malicious user to modify a page that points to the
Download page (e.g. the home page) so that it points to another page,
say Download2.  They can then make Download2 look exactly like
Download, except with a link that points to a malicious binary (either
file attached or external).

Taking this argument to its transitive extreme, I must protect *every*
page.

I don't know where the right balance is.

Another possibility is a system where all pages are protected and only
editable by trusted users.  Everyone who wants to become a wiki editor
first has to contact me to be added to the list of trusted editors.  I
could live with this I guess.  But it's a bit of a shame.