On Thu, Apr 14, 2016 at 7:46 PM, Vincent Massol <[email protected]> wrote:
> > > On 14 Apr 2016, at 16:52, Marius Dumitru Florea < > [email protected]> wrote: > > > > On Thu, Apr 14, 2016 at 5:43 PM, Vincent Massol <[email protected]> > wrote: > > > >> Hi devs, > >> > >> I’m implementing http://jira.xwiki.org/browse/XWIKI-10375 ("Refactor > the > >> temporary resource concept inside the Resource module”) and I need to > >> define a URL format for the new “tmp” resource type. > >> > >> I’m proposing the following: > >> > >> > > > >> http://<server>/<context>/tmp/<module id>/<serialized owner document > >> reference>/<module-dependent resource path> > >> > > > > Serialized document reference uses backslash to escape special characters > > which breaks the URL in Tomcat for security reasons. > > > Yes but the same is true whether you have “A\.B.C” or "/A\.B/C”. > WDYM? The dot is escaped in the space name with a backslash only when the space name is serialized as a reference, which is not the case for the standard wiki page URL /xwiki/bin/view/Space.With.Dot/Page.With.Dot Having a slash or a backslash in the space or page name is less common than having a dot ("Version 1.2"). And the user might be willing to accept that having a backslash in the page (or attachment's) name can cause security issues with Tomcat, but I doubt he will accept to avoid dots. > That’s not a blocking issue anyway since we can easily transform them into > other characters when we serialized and do the opposite when we parse the > URL. > > > This is based on the existing TemporaryResourceReference at: > >> > >> > https://github.com/xwiki/xwiki-platform/blob/96caad053c14fc5546e9bc141bc284e6112dd48e/xwiki-platform-core/xwiki-platform-resource/xwiki-platform-resource-default/src/main/java/org/xwiki/resource/temporary/TemporaryResourceReference.java#L33-L33 > >> > >> For example: > >> > >> http:// > >> > <server>/<context>/tmp/officeviewer/A.B.WebHome/Q29tcGFueSBQcmVzZW50YXRpb24ucHB0/Company+Presentation-slide0.jpg > >> > >> Note that in this example from the officeviewer macro the > module-dependent > >> resource path consists in: > >> > > > > > >> - base64(name of office attachment + hashcode(parameters)) > >> > > > > See http://jira.xwiki.org/browse/XWIKI-11528 for the rationale behind > it. I > > was trying to avoid backslash (from the serialized attachment reference) > in > > the URL. > > > Yes. However the image name “Company Presentation-slide0” could also > contain slash or backlashes too. > It could but it's less common, especially because most Operating Systems are not very friendly with these characters when used in file or folder names. > > Note that I wasn’t sure why you you didn’t compute the base64 of both the > name of attachment + the parameters instead of having 2 directory levels > consisting in the base64 of the attachment name + the hashcode of the > parameters as different path segments. Need to check XWIKI-11528, maybe > it’s there. > > IMO we need to treat all path segments in the same way and convert slash > and backslash into some other characters. I’m not sure we need the base64 > solution. But anyway this is an implementation detail of the officeviewer > module and not really related to the discussion of the generic Temporary > URL format. > > Thanks > -Vincent > > > - generated image name from PPT > >> > >> In this case, the implementation would generate the following file: > >> > >> > >> > [TMPDIR]/officeviewer/A/B/WebHome/Q29tcGFueSBQcmVzZW50YXRpb24ucHB0/Company+Presentation-slide0.jpg > >> > >> WDYT? > >> > >> Thanks > >> -Vincent > > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
