On Fri, Apr 15, 2016 at 11:52 AM, Vincent Massol <[email protected]> wrote:
> > > On 15 Apr 2016, at 10:30, Marius Dumitru Florea < > [email protected]> wrote: > > > > On Thu, Apr 14, 2016 at 7:46 PM, Vincent Massol <[email protected]> > wrote: > > > >> > >>> On 14 Apr 2016, at 16:52, Marius Dumitru Florea < > >> [email protected]> wrote: > >>> > >>> On Thu, Apr 14, 2016 at 5:43 PM, Vincent Massol <[email protected]> > >> wrote: > >>> > >>>> Hi devs, > >>>> > >>>> I’m implementing http://jira.xwiki.org/browse/XWIKI-10375 ("Refactor > >> the > >>>> temporary resource concept inside the Resource module”) and I need to > >>>> define a URL format for the new “tmp” resource type. > >>>> > >>>> I’m proposing the following: > >>>> > >>>> > >>> > >>>> http://<server>/<context>/tmp/<module id>/<serialized owner document > >>>> reference>/<module-dependent resource path> > >>>> > >>> > >>> Serialized document reference uses backslash to escape special > characters > >>> which breaks the URL in Tomcat for security reasons. > >> > >> > > > >> Yes but the same is true whether you have “A\.B.C” or "/A\.B/C”. > >> > > > > WDYM? The dot is escaped in the space name with a backslash only when the > > space name is serialized as a reference, which is not the case for the > > standard wiki page URL /xwiki/bin/view/Space.With.Dot/Page.With.Dot > > > > Having a slash or a backslash in the space or page name is less common > than > > having a dot ("Version 1.2"). And the user might be willing to accept > that > > having a backslash in the page (or attachment's) name can cause security > > issues with Tomcat, but I doubt he will accept to avoid dots. > > What do you propose? (I’ve sent another mail explaining why having the > reference serialized as different path segments is an issue) > > > We could also implement a different document reference resolver/serializer > for URLs so that the escape symbol is not “\”. Actually maybe this would be > the best and would be useful in several places. > +1 Thanks, Marius > > WDYT? > > Thanks > -Vincent > > > That’s not a blocking issue anyway since we can easily transform them > into > >> other characters when we serialized and do the opposite when we parse > the > >> URL. > >> > >>> This is based on the existing TemporaryResourceReference at: > >>>> > >>>> > >> > https://github.com/xwiki/xwiki-platform/blob/96caad053c14fc5546e9bc141bc284e6112dd48e/xwiki-platform-core/xwiki-platform-resource/xwiki-platform-resource-default/src/main/java/org/xwiki/resource/temporary/TemporaryResourceReference.java#L33-L33 > >>>> > >>>> For example: > >>>> > >>>> http:// > >>>> > >> > <server>/<context>/tmp/officeviewer/A.B.WebHome/Q29tcGFueSBQcmVzZW50YXRpb24ucHB0/Company+Presentation-slide0.jpg > >>>> > >>>> Note that in this example from the officeviewer macro the > >> module-dependent > >>>> resource path consists in: > >>>> > >>> > >>> > >>>> - base64(name of office attachment + hashcode(parameters)) > >>>> > >>> > >>> See http://jira.xwiki.org/browse/XWIKI-11528 for the rationale behind > >> it. I > >>> was trying to avoid backslash (from the serialized attachment > reference) > >> in > >>> the URL. > >> > >> > > > >> Yes. However the image name “Company Presentation-slide0” could also > >> contain slash or backlashes too. > >> > > > > It could but it's less common, especially because most Operating Systems > > are not very friendly with these characters when used in file or folder > > names. > > > > > >> > >> Note that I wasn’t sure why you you didn’t compute the base64 of both > the > >> name of attachment + the parameters instead of having 2 directory levels > >> consisting in the base64 of the attachment name + the hashcode of the > >> parameters as different path segments. Need to check XWIKI-11528, maybe > >> it’s there. > >> > >> IMO we need to treat all path segments in the same way and convert slash > >> and backslash into some other characters. I’m not sure we need the > base64 > >> solution. But anyway this is an implementation detail of the > officeviewer > >> module and not really related to the discussion of the generic Temporary > >> URL format. > >> > >> Thanks > >> -Vincent > >> > >>> - generated image name from PPT > >>>> > >>>> In this case, the implementation would generate the following file: > >>>> > >>>> > >>>> > >> > [TMPDIR]/officeviewer/A/B/WebHome/Q29tcGFueSBQcmVzZW50YXRpb24ucHB0/Company+Presentation-slide0.jpg > >>>> > >>>> WDYT? > >>>> > >>>> Thanks > >>>> -Vincent > >> > >> _______________________________________________ > >> devs mailing list > >> [email protected] > >> http://lists.xwiki.org/mailman/listinfo/devs > >> > > _______________________________________________ > > devs mailing list > > [email protected] > > http://lists.xwiki.org/mailman/listinfo/devs > > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
