14 Apr
2016
14 Apr
'16
11:18 p.m.
On 14 Apr 2016, at 23:03, Thomas Mortagne
<thomas.mortagne(a)xwiki.com> wrote:
IMO since Tomcat can be properly configured to behave as any decent
application server should and just do what we tell it to do I don't
think we care.
I’m not sure I fully agree for 2 reasons:
* Tomcat is our main servlet container used by our users by far (see
http://www.xwiki.org/xwiki/bin/view/ActiveInstalls/)
* Tomcat explicitly tells its users that it’s for their security. Why would they not
believe it and reduce security?
So I think it would be good for us to go one step further and make sure XWiki works by
default on Tomcat.
There’s an alternative though, which would be for XWiki to verify at startup that the 2
tomcat system properties are set and if not, fail the deployment of the XWiki webapp (we
would check that in our Servlet Context Listener). The only issue is that users may tell
us that it’s not good to turn off this security feature and we should review our code to
ensure we’re not affected by Directory traversal attack
(https://en.wikipedia.org/wiki/Directory_traversal_attack) and then we could tell them
that they're protected against it.
In any case, generically converting the %5C and %2F chars into something else (with a
Filter as I was suggesting in the previous mail) and then decoding those is just hiding
the problem and would still make us vulnerable to directory attacks, so it’s probably not
the best solution...
WDYT?
Thanks
-Vincent
On Thu, Apr 14, 2016 at 6:54 PM, Vincent Massol
<vincent(a)massol.net> wrote:
--
Thomas Mortagne
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
On 14 Apr 2016, at 18:46, Vincent Massol
<vincent(a)massol.net> wrote:
FTR http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security
-Vincent
On 14 Apr 2016, at 17:55, Thomas Mortagne <thomas.mortagne(a)xwiki.com> wrote:
On Thu, Apr 14, 2016 at 4:52 PM, Marius Dumitru Florea
<mariusdumitru.florea(a)xwiki.com> wrote:
> On Thu, Apr 14, 2016 at 5:43 PM, Vincent Massol <vincent(a)massol.net> wrote:
>
>> Hi devs,
>>
>> I’m implementing http://jira.xwiki.org/browse/XWIKI-10375 ("Refactor the
>> temporary resource concept inside the Resource module”) and I need to
>> define a URL format for the new “tmp” resource type.
>>
>> I’m proposing the following:
>>
>>
>
>> http://<server>/<context>/tmp/<module id>/<serialized owner
document
>> reference>/<module-dependent resource path>
>>
>
> Serialized document reference uses backslash to escape special characters
> which breaks the URL in Tomcat for security reasons.
Badly configured Tomcat does not like slash but are you sure about backslash ?
Yes, it’s both.
Thanks
-Vincent
>
>>> This is based on the existing TemporaryResourceReference at:
>>>
>>>
https://github.com/xwiki/xwiki-platform/blob/96caad053c14fc5546e9bc141bc284…
>>>
>>> For example:
>>>
>>> http://
>>>
<server>/<context>/tmp/officeviewer/A.B.WebHome/Q29tcGFueSBQcmVzZW50YXRpb24ucHB0/Company+Presentation-slide0.jpg
>>>
>>> Note that in this example from the officeviewer macro the module-dependent
>>> resource path consists in:
>>>
>>
>>
>>> - base64(name of office attachment + hashcode(parameters))
>>>
>>
>> See http://jira.xwiki.org/browse/XWIKI-11528 for the rationale behind it. I
>> was trying to avoid backslash (from the serialized attachment reference) in
>> the URL.
>>
>>
>>> - generated image name from PPT
>>>
>>> In this case, the implementation would generate the following file:
>>>
>>>
>>>
[TMPDIR]/officeviewer/A/B/WebHome/Q29tcGFueSBQcmVzZW50YXRpb24ucHB0/Company+Presentation-slide0.jpg
>>>
>>> WDYT?
>>>
>>> Thanks
>>> -Vincent
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs