Re: [xwiki-devs] [VOTE] Restrict the location of skin resources inside Jars for security

Hi devs, Initially I didn't activate the resource skin extensions plugins (jsrx and ssrx) for security considerations, since they can be used to read any file from the classpath. I had forgotten to work on that, and now they have been enabled and used in their current implementation for a while. This means that changing the behavior will cause backward incompatibilities... So, I'm proposing that all skin resources packaged inside Jars should reside under the /skinx/ root directory. This prefix shouldn't be included in the pulled URL, it will be appended internally, and enforced to prevent any /skinx/../privateresource tricks. For example: $xwiki.jsrx.use('/gmaps/gmaps.js') will look for /skinx/gmaps/gmaps.js inside jars and the /classes/ directory. As a migration plan I'd like to implement this check ASAP, add a configuration for enabling the old behavior (if no resource was found with the skinx prefix, search without the prefix), which should be set to true by default in 4.5. Trigger a warning (in the logs) when such a deprecated resource is found. For 5.0 we switch to false by default, and in 6.0 we remove the switch completely. WDYT?