> On 14 Apr 2016, at 23:03, Thomas Mortagne <[email protected]> wrote: > > IMO since Tomcat can be properly configured to behave as any decent > application server should and just do what we tell it to do I don't > think we care.
I’m not sure I fully agree for 2 reasons: * Tomcat is our main servlet container used by our users by far (see http://www.xwiki.org/xwiki/bin/view/ActiveInstalls/) * Tomcat explicitly tells its users that it’s for their security. Why would they not believe it and reduce security? So I think it would be good for us to go one step further and make sure XWiki works by default on Tomcat. There’s an alternative though, which would be for XWiki to verify at startup that the 2 tomcat system properties are set and if not, fail the deployment of the XWiki webapp (we would check that in our Servlet Context Listener). The only issue is that users may tell us that it’s not good to turn off this security feature and we should review our code to ensure we’re not affected by Directory traversal attack (https://en.wikipedia.org/wiki/Directory_traversal_attack) and then we could tell them that they're protected against it. In any case, generically converting the %5C and %2F chars into something else (with a Filter as I was suggesting in the previous mail) and then decoding those is just hiding the problem and would still make us vulnerable to directory attacks, so it’s probably not the best solution... WDYT? Thanks -Vincent > On Thu, Apr 14, 2016 at 6:54 PM, Vincent Massol <[email protected]> wrote: >> >>> On 14 Apr 2016, at 18:46, Vincent Massol <[email protected]> wrote: >>> >>>> >>>> On 14 Apr 2016, at 17:55, Thomas Mortagne <[email protected]> >>>> wrote: >>>> >>>> On Thu, Apr 14, 2016 at 4:52 PM, Marius Dumitru Florea >>>> <[email protected]> wrote: >>>>> On Thu, Apr 14, 2016 at 5:43 PM, Vincent Massol <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi devs, >>>>>> >>>>>> I’m implementing http://jira.xwiki.org/browse/XWIKI-10375 ("Refactor the >>>>>> temporary resource concept inside the Resource module”) and I need to >>>>>> define a URL format for the new “tmp” resource type. >>>>>> >>>>>> I’m proposing the following: >>>>>> >>>>>> >>>>> >>>>>> http://<server>/<context>/tmp/<module id>/<serialized owner document >>>>>> reference>/<module-dependent resource path> >>>>>> >>>>> >>>>> Serialized document reference uses backslash to escape special characters >>>>> which breaks the URL in Tomcat for security reasons. >>>> >>>> Badly configured Tomcat does not like slash but are you sure about >>>> backslash ? >>> >>> Yes, it’s both. >> >> FTR http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security >> >> -Vincent >> >>> >>> Thanks >>> -Vincent >>> >>>> >>>>>> This is based on the existing TemporaryResourceReference at: >>>>>> >>>>>> https://github.com/xwiki/xwiki-platform/blob/96caad053c14fc5546e9bc141bc284e6112dd48e/xwiki-platform-core/xwiki-platform-resource/xwiki-platform-resource-default/src/main/java/org/xwiki/resource/temporary/TemporaryResourceReference.java#L33-L33 >>>>>> >>>>>> For example: >>>>>> >>>>>> http:// >>>>>> <server>/<context>/tmp/officeviewer/A.B.WebHome/Q29tcGFueSBQcmVzZW50YXRpb24ucHB0/Company+Presentation-slide0.jpg >>>>>> >>>>>> Note that in this example from the officeviewer macro the >>>>>> module-dependent >>>>>> resource path consists in: >>>>>> >>>>> >>>>> >>>>>> - base64(name of office attachment + hashcode(parameters)) >>>>>> >>>>> >>>>> See http://jira.xwiki.org/browse/XWIKI-11528 for the rationale behind it. >>>>> I >>>>> was trying to avoid backslash (from the serialized attachment reference) >>>>> in >>>>> the URL. >>>>> >>>>> >>>>>> - generated image name from PPT >>>>>> >>>>>> In this case, the implementation would generate the following file: >>>>>> >>>>>> >>>>>> [TMPDIR]/officeviewer/A/B/WebHome/Q29tcGFueSBQcmVzZW50YXRpb24ucHB0/Company+Presentation-slide0.jpg >>>>>> >>>>>> WDYT? >>>>>> >>>>>> Thanks >>>>>> -Vincent >> >> _______________________________________________ >> devs mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/devs > > > > -- > Thomas Mortagne > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
