13 Jan
2013
13 Jan
'13
3:10 p.m.
On Sun, Jan 13, 2013 at 1:53 AM, Sergiu Dumitriu <sergiu(a)xwiki.org> wrote:
Hi devs,
Initially I didn't activate the resource skin extensions plugins (jsrx
and ssrx) for security considerations, since they can be used to read
any file from the classpath. I had forgotten to work on that, and now
they have been enabled and used in their current implementation for a
while. This means that changing the behavior will cause backward
incompatibilities...
So, I'm proposing that all skin resources packaged inside Jars should
reside under the /skinx/ root directory. This prefix shouldn't be
included in the pulled URL, it will be appended internally, and enforced
to prevent any /skinx/../privateresource tricks.
For example:
$xwiki.jsrx.use('/gmaps/gmaps.js')
will look for /skinx/gmaps/gmaps.js inside jars and the /classes/ directory.
The downside is that we won't be able to (re)use JS/CSS from third
party jars (not build by us). Why not filter access based on file
extension? jsrx could accept only *.js and ssrx only *.css .
Thanks,
Marius
As a migration plan I'd like to implement this check ASAP, add a
configuration for enabling the old behavior (if no resource was found
with the skinx prefix, search without the prefix), which should be set
to true by default in 4.5. Trigger a warning (in the logs) when such a
deprecated resource is found. For 5.0 we switch to false by default, and
in 6.0 we remove the switch completely.
WDYT?
--
Sergiu Dumitriu
http://purl.org/net/sergiu
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs