|| ||Andrew Bartlett <abartlet-AT-samba.org> |
|| ||samba-AT-samba.org |
|| ||PROPOSAL: Remove SWAT in Samba 4.1 |
|| ||Mon, 18 Feb 2013 11:02:03 +1100|
|| ||asn-AT-samba.org, samba-technical-AT-samba.org|
|| ||Article, Thread
As most of you would have noticed, we have now had 3 CVE-nominated
security issues for SWAT in the past couple of years.
At the same time, while I know many of our users use SWAT, we just don't
have anybody to maintain it inside the Samba Team. Kai has made a
valiant effort to at least apply the XSS and CSRF guidelines when folks
make security reports, but by his own admission he isn't a web developer
- none of us are!
There are many other parts of Samba that have not been substantially
maintained in years, but few have the level of security exposure that
SWAT does (most are bits of library and utility code that we apply
elsewhere, but which just quietly does it's own job).
The issue isn't that we can't write secure code, but that writing secure
Web code where we can't trust the authenticated actions of our user's
browser is a very different modal to writing secure system code.
Frankly it just isn't our area.
Therefore, it was suggested on a private list that we just drop SWAT. I
want to start a public discussion on that point, prompted by
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700729 which reminds us
why we didn't apply the specific CSRF hardening we applied in 4.0.2 to
SWAT in the first place.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
to post comments)