I really don't like Option 2, it will only lead to way too much complexity and it's impossible to do it clean. URL already have encoding syntax and Tomcat should follow it as it's supposed to. It's much better and not very hard to finally add a first validator page in the DW to check things like Tomcat setting, memory allocation etc.
On Mon, Nov 16, 2015 at 10:21 AM, vinc...@massol.net <vinc...@massol.net> wrote: > Hi guys, > > I think we need to an agreement on how to handle the default Tomcat security > which disables the usage of / and \ in URLs (even URL-encoded). See > http://www.tomcatexpert.com/blog/2011/11/02/best-practices-securing-apache-tomcat-7 > > We have 2 main options: > > * Option 1: Tell users to disable this security feature of Tomcat: > http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security. In > this case we just need to review our code to ensure we’re not subject to > directory traversal attacks (see > https://en.wikipedia.org/wiki/Directory_traversal_attack). > > * Option 2: Decide to make it easy for Tomcat users (since it’s probably the > typical servlet container used by our users) and to not use / and \ in our > URLs. > > Option 2 means modifying our code. There are various possibilities: > * A) Replace the “/“ and “\” characters by other characters in URLs and > modify our URL Serialization code (implementations of XWikiURLFactory) and > our URL parsing code (URL modules). > * B) Use a different encoding. Marius has used Base64 encoding for > http://jira.xwiki.org/browse/XWIKI-11528. However this cannot be a generic > solution since it leads to large URLs and also makes the URL not legible > anymore. So this solution could only be for internal URLs. > * Other? > > For A), it could b a character like ‘|' for ‘/' (and thus “||" if you want to > have a real ‘|') and ‘~’ for ‘\’ (and “~~” if you want to have a real ‘\’). > > So there are 2 questions in this thread: > * Do we want to be Tomcat-friendly? > * If so, what strategy do we apply? > > WDYT? > > Thanks > -Vincent > > > > > _______________________________________________ > devs mailing list > devs@xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs -- Thomas Mortagne _______________________________________________ devs mailing list devs@xwiki.org http://lists.xwiki.org/mailman/listinfo/devs
