xwiki-devs May 2010

xwiki-devs@xwiki.org

30 participants
85 discussions

by Ibrahim hammani

Hi, How do I add a custom access levels to my xwiki. (eg : upload level, Here the user can edit the page but can't add attachments to it) . I tried to implant some solutions using groovy but i dind't succeed, so is there any other way please let me know. thanks.

14 years, 7 months

[xwiki-devs] [Proposal] Prefix the database name used as class name on the document body to avoid conflict with other classes (XWIKI-5165)

by Jerome Velociter

Hi devs, Due to special circumstances (hitting XWIKI-5166 while upgrade XWiki.org to 2.3), we've face the <body> database className conflict again, on code.xwiki.org. What happens is that the "code" DOM class name is apposed to the body element (see htmlheader.vm), and this interferes with styles defined for the {{code}} macro. Potentially there are other scenarios where class names can conflict with database names. I propose we prefix the apposed class name with "wiki-" (that's what we've been doing on xwiki.org for some time now) in order to avoid this. Though, we need to agree on this, since it can be a breaking change for those who relied on that "feature" to skin differently different wikis on a farm. WDYT ? Jerome.

14 years, 7 months

[xwiki-devs] [Proposal] Define our security requirements.

by Caleb James DeLisle

It might sound silly but if there are no security requirements then there are no security holes. We all know when we see something which shouldn't happen but I don't think there is any page defining exactly what the security requirements are. 1. Users should not be able to spawn additional processes on the server. 2. Users should not be able to commit changes to the database except through the saveDocument function. 3. Users should not be able to save documents without their name as the author or contentAuthor as applicable. 4. Guests should not be able to execute server side script except that which was written and saved by a user. This list is doesn't cover much yet, I hope to see some additions and discussion of may code may violate some the rules as well as how we can have 'untrusted' code which is unable to violate the rules. I propose we put up a design page for maintenance of this list. WDYT? Caleb

14 years, 7 months

Re: [xwiki-devs] [xwiki-notifications] r28744 - in enterprise/trunk/distribution-test/ui-tests/src/test/it/org/xwiki/it/ui: . elements framework

by Vincent Massol

On May 5, 2010, at 7:38 PM, sdumitriu (SVN) wrote: > Author: sdumitriu > Date: 2010-05-05 19:38:38 +0200 (Wed, 05 May 2010) > New Revision: 28744 > > Added: > enterprise/trunk/distribution-test/ui-tests/src/test/it/org/xwiki/it/ui/EscapeTest.java > Modified: > enterprise/trunk/distribution-test/ui-tests/src/test/it/org/xwiki/it/ui/elements/FormPage.java > enterprise/trunk/distribution-test/ui-tests/src/test/it/org/xwiki/it/ui/framework/TestUtils.java > Log: > XWIKI-5161: Using XML symbols (<, >, &, ") inside the document title/name/space breaks various parts of the UI and causes the PDF export to throw exceptions > Added test. hmm shouldn't the test be more "functional"? For example, if we test the create page use case using a page with a special char, we could test this use case at the same time, no? Thanks -Vincent > Added: enterprise/trunk/distribution-test/ui-tests/src/test/it/org/xwiki/it/ui/EscapeTest.java > =================================================================== > --- enterprise/trunk/distribution-test/ui-tests/src/test/it/org/xwiki/it/ui/EscapeTest.java (rev 0) > +++ enterprise/trunk/distribution-test/ui-tests/src/test/it/org/xwiki/it/ui/EscapeTest.java 2010-05-05 17:38:38 UTC (rev 28744) > @@ -0,0 +1,46 @@ > +/* > + * See the NOTICE file distributed with this work for additional > + * information regarding copyright ownership. > + * > + * This is free software; you can redistribute it and/or modify it > + * under the terms of the GNU Lesser General Public License as > + * published by the Free Software Foundation; either version 2.1 of > + * the License, or (at your option) any later version. > + * > + * This software is distributed in the hope that it will be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + * Lesser General Public License for more details. > + * > + * You should have received a copy of the GNU Lesser General Public > + * License along with this software; if not, write to the Free > + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA > + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. > + */ > +package org.xwiki.it.ui; > + > +import junit.framework.Assert; > + > +import org.junit.Test; > +import org.xwiki.it.ui.framework.AbstractAdminAuthenticatedTest; > +import org.xwiki.it.ui.framework.TestUtils; > + > + > +/** > + * Test various character escaping bugs. > + * > + * @version $Id$ > + * @since 2.4M1 > + */ > +public class EscapeTest extends AbstractAdminAuthenticatedTest { > + > + @Test > + public void testEditReflectedXSS() > + { > + // tests for XWIKI-4758, XML symbols should be escaped > + String page = "<>'?&\""; > + TestUtils.gotoPage("Main", TestUtils.escapeURL(page), "edit", getDriver()); > + Assert.assertTrue(getDriver().getPageSource().indexOf(page) < 0); > + } > +} > + > > > Property changes on: enterprise/trunk/distribution-test/ui-tests/src/test/it/org/xwiki/it/ui/EscapeTest.java > ___________________________________________________________________ > Name: svn:keywords > + Author Id Revision HeadURL > Name: svn:eol-style > + native > > Modified: enterprise/trunk/distribution-test/ui-tests/src/test/it/org/xwiki/it/ui/elements/FormPage.java > =================================================================== > --- enterprise/trunk/distribution-test/ui-tests/src/test/it/org/xwiki/it/ui/elements/FormPage.java 2010-05-05 16:17:06 UTC (rev 28743) > +++ enterprise/trunk/distribution-test/ui-tests/src/test/it/org/xwiki/it/ui/elements/FormPage.java 2010-05-05 17:38:38 UTC (rev 28744) > @@ -31,7 +31,7 @@ > /** > * Represents a Form. > * > - * @version $Id:$ > + * @version $Id$ > * @since 2.4M1 > */ > public class FormPage extends BasePage > > Modified: enterprise/trunk/distribution-test/ui-tests/src/test/it/org/xwiki/it/ui/framework/TestUtils.java > =================================================================== > --- enterprise/trunk/distribution-test/ui-tests/src/test/it/org/xwiki/it/ui/framework/TestUtils.java 2010-05-05 16:17:06 UTC (rev 28743) > +++ enterprise/trunk/distribution-test/ui-tests/src/test/it/org/xwiki/it/ui/framework/TestUtils.java 2010-05-05 17:38:38 UTC (rev 28744) > @@ -41,7 +41,7 @@ > > public static void gotoPage(String space, String page, String action, WebDriver driver) > { > - gotoPage(space, page, "view", null, driver); > + gotoPage(space, page, action, null, driver); > } > > public static void gotoPage(String space, String page, String action, String queryString, WebDriver driver)

14 years, 7 months

Re: [xwiki-devs] [xwiki-notifications] r28709 - platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki

by Vincent Massol

On May 4, 2010, at 10:50 PM, sdumitriu (SVN) wrote: > Author: sdumitriu > Date: 2010-05-04 22:50:34 +0200 (Tue, 04 May 2010) > New Revision: 28709 > > Modified: > platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java > Log: > XWIKI-5156: Session cookies are not marked as HttpOnly > Fixed > > Modified: platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java > =================================================================== > --- platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java 2010-05-04 20:50:00 UTC (rev 28708) > +++ platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/impl/xwiki/MyPersistentLoginManager.java 2010-05-04 20:50:34 UTC (rev 28709) > @@ -245,7 +245,31 @@ > LOG.debug("Adding cookie: " + cookie.getDomain() + cookie.getPath() + " " + cookie.getName() + "=" > + cookie.getValue()); > } > - response.addCookie(cookie); > + // We don't use the container's response.addCookie, since the HttpOnly cookie flag was introduced only recently > + // in the servlet specification, and we're still using the older 2.4 specification as a minimal requirement for > + // compatibility with as many containers as possible. Instead, we write the cookie manually as a HTTP header. AFAIK addCookie is avail in the the 2.3 spec: http://java.sun.com/products/servlet/2.3/javadoc/javax/servlet/http/HttpSer… Thanks -Vincent > + StringBuilder cookieValue = new StringBuilder(150); > + cookieValue.append(cookie.getName() + "="); > + if (StringUtils.isNotEmpty(cookie.getValue())) { > + cookieValue.append("\"" + cookie.getValue() + "\""); > + } > + cookieValue.append("; Version=1"); > + if (cookie.getMaxAge() >= 0) { > + cookieValue.append("; Max-Age=" + cookie.getMaxAge()); > + } else { > + cookieValue.append("; Discard"); > + } > + if (StringUtils.isNotEmpty(cookie.getDomain())) { > + // IE needs toLowerCase for the domain name > + cookieValue.append("; Domain=" + cookie.getDomain().toLowerCase()); > + } > + if (StringUtils.isNotEmpty(cookie.getPath())) { > + cookieValue.append("; Path=" + cookie.getPath()); > + } > + // Protect cookies from being used from JavaScript, see http://www.owasp.org/index.php/HttpOnly > + cookieValue.append("; HttpOnly"); > + > + response.addHeader("Set-Cookie", cookieValue.toString()); > } > > /**

14 years, 7 months

Re: [xwiki-devs] Curriki 1.8.5 - Local Installation - Pom configuration error

by Jerome Velociter

Release tags should not refer to SNAPSHOT dependencies. It seems the tag has not been made with maven tag plugin. Either you can "fix" the tag by changing the dependency to a non-SNAPSHOT version (like 24), or try to build the trunk which should refer to more recent deps (i.e., that still exists in the maven repo). Regards, Jerome. -- View this message in context: http://xwiki.475771.n2.nabble.com/Curriki-1-8-5-Local-Installation-Pom-conf… Sent from the XWiki- Dev mailing list archive at Nabble.com.

14 years, 7 months

Re: [xwiki-devs] [xwiki-notifications] r28726 - platform/web/branches/xwiki-web-2.3/standard/src/main/webapp/templates

by Sergiu Dumitriu

On 05/05/2010 02:28 PM, tmortagne (SVN) wrote: > Author: tmortagne > Date: 2010-05-05 14:28:17 +0200 (Wed, 05 May 2010) > New Revision: 28726 > > Modified: > platform/web/branches/xwiki-web-2.3/standard/src/main/webapp/templates/commentsinline.vm > platform/web/branches/xwiki-web-2.3/standard/src/main/webapp/templates/informationinline.vm > Log: > [misc] Fix XHTML validity > > Modified: platform/web/branches/xwiki-web-2.3/standard/src/main/webapp/templates/commentsinline.vm > =================================================================== > --- platform/web/branches/xwiki-web-2.3/standard/src/main/webapp/templates/commentsinline.vm 2010-05-05 12:27:21 UTC (rev 28725) > +++ platform/web/branches/xwiki-web-2.3/standard/src/main/webapp/templates/commentsinline.vm 2010-05-05 12:28:17 UTC (rev 28726) > @@ -90,7 +90,7 @@ > #foreach($name in $request.getParameterNames()) > #set($queryString = "$!queryString&$name=$escapetool.url($request.get($name))") > #end > - $response.sendRedirect("$doc.getURL('view')?captchaAnswerWrong=1&$queryString"); > + $response.sendRedirect("$doc.getURL('view', "captchaAnswerWrong=1&$queryString")"); Are you sure this works? Looks like nested quotes which makes Velocity a bit unhappy... Also the & is still unescaped. $response.sendRedirect($doc.getURL('view', "captchaAnswerWrong=1&$queryString")); > #end > $response.setContentLength(0) > #stop -- Sergiu Dumitriu http://purl.org/net/sergiu/

14 years, 7 months

Re: [xwiki-devs] SVN Application for XWiki

by Denis Gervalle

On Mon, May 3, 2010 at 21:54, Ludovic Dubost <ludovic(a)xwiki.org> wrote: > > Hi Denis, > > Thanks for the feedback and testing > > > Le 03/05/10 21:20, Denis Gervalle a écrit : > > Hi Ludovic, >> >> I have made some quick testing of this application in our sandbox, and I >> have discovered weird issues in relation with the document history. >> >> Here is what I have noticed so far: >> >> I've seen indeed some issue with the history. I thought it was limited to > having to resave the document to fix it. > Resaving may be not possible due to the exception you may get when you save. > I will look into it. I had to add some code specially for handling > attachments. I suspect that is what is creating the problems No attachment in my test, just a very small page. The issue is in the way you manage archives. > - Checking out new document from the repository, the document does not >> have >> an history at all, and the creator of the document is not set >> - Checking out a existing document from the repository (reverting a >> change), cause the history of the document to be somewhat inverted, the >> current document being 1.1 version and the history containing later >> versions... (except when only 1.1 version were existing). The document >> also >> cause an exception when you try to save some modification to it: >> >> Detailed information: >> Error number 3201 in 3: Exception while saving document Main.TestPage2 >> Wrapped Exception: Failed to commit or rollback transaction. Root cause >> [] >> com.xpn.xwiki.XWikiException: Error number 3201 in 3: Exception while >> saving document Main.TestPage2 >> Wrapped Exception: Failed to commit or rollback transaction. Root cause >> [] >> at >> >> com.xpn.xwiki.store.XWikiHibernateStore.saveXWikiDoc(XWikiHibernateStore.java:638) >> ... >> Wrapped Exception: >> org.hibernate.StaleStateException: Batch update returned unexpected row >> count from update [1]; actual row count: 0; expected: 1 >> >> The change is then recorded in the archive and not in the document, >> creating >> the same "inverted" history situation. I suspect it happen due to >> a discrepancy between the cache and the database, since after a restart, >> the >> 1.1 (current) version is no more in the history. >> >> - After a restart, I also got some "C" status, which are not documented, >> and I imagine, means conflict. But since this is just a restart that cause >> them, this not expected. Looking at the details, this append on groups, >> because of object GUID changes without any other changes, and it may be >> unrelated to your application in particular. >> > Interesting. How come would GUID change in groups ? > I do not investigate, just noticed that after a tomcat restart, one GUID has changed on all groups. > Indeed this does not seem related to the SVN app. > Either this is normal and then we could change the comparaison to ignore > such GUID changes. However the GUID is important data. Probably it is not related and would not do that. - At an initial attempt to go back to the list after committing and then >> updating a new page, it has shown a status of '?' in place of 'M', but I >> have not reproduced that later :( >> > The only reason to show ? is that either > > there is a change both in SVN and in the Wiki > Does this means C and not "?" ? > OR > the status information is not filled in Agree, and I have get that while the status is available, but I was unable to reproduce :( > - SVN operations also cause the recycle bin to contains deleted >> document, >> is it intended ? >> > This is possible.. I have to check > > > I also have a question regarding the usage of the status field. Why it is >> required to keep this status ? if needed, why coding it in place of >> keeping >> it with each document (in an xobject) ? >> >> I thought about that but did not want the SVN application to have any > impact on the wiki you want to commit to SVN > Well, it would be nice, but it has more than you expect, and the way you get rid of the Tag object could also be an issue, due to the bad way object are deleted currently in documents. Do you really need that status information ? Denis On Thu, Apr 22, 2010 at 19:42, Ludovic Dubost<ludovic(a)xwiki.com> wrote: >> >> Hi, >>> >>> >>> If you are following the xwiki comments, you might have seen that I've >>> been >>> working on an SVN application for XWiki. >>> >>> I've published this application here: >>> http://code.xwiki.org/xwiki/bin/view/Applications/SVNApplication >>> >>> The objective of this application is to bring to XWiki Applications more >>> professional development practices. >>> One of them is the ability to do version management of XWiki >>> applications. >>> Of course XWiki contains versioning but this versioning does not apply >>> accross wikis and makes it difficult to contribute code back to the >>> community. >>> >>> With the SVN application you can now directly contribute code and code >>> updates to the XWiki SVN contrib repository or to any other SVN >>> repository. >>> You can even commit in multiple SVN repositories in the same Wiki. >>> >>> The SVN Application supports: >>> >>> 1/ Compare the Wiki (limited to a list of spaces) with the SVN repository >>> listing >>> - added pages in the wiki >>> - modified pages in the wiki >>> - new pages in SVN >>> - modified pages in SVN >>> - conflicting pages modified in both SVN and the Wiki >>> 2/ Commit in the SVN Repository >>> 3/ Update from the SVN Repostory >>> 4/ Show differences between SVN and the Wiki (in XML) >>> >>> The SVN Application does not provide merging and conflict resolution. The >>> SVN Application normalizes XWiki XML allowing the cleanup the XML to not >>> have the user, the dates, comments. This is necessary to provide >>> concurrent >>> development on multiple XWiki server without telling you that the pages >>> have >>> changed all the time. >>> >>> The source code is of course in SVN at >>> http://svn.xwiki.org/svnroot/xwiki/contrib/sandbox/xwiki-svn/ >>> >>> Ludovic >>> >>> -- >>> Ludovic Dubost >>> Blog: http://blog.ludovic.org/ >>> XWiki: http://www.xwiki.com >>> Skype: ldubost GTalk: ldubost >>> >>> >>> _______________________________________________ >>> devs mailing list >>> devs(a)xwiki.org >>> http://lists.xwiki.org/mailman/listinfo/devs >>> >>> >>> >> > > -- > Ludovic Dubost > Blog: http://blog.ludovic.org/ > XWiki: http://www.xwiki.com > Skype: ldubost GTalk: ldubost > > -- Denis Gervalle SOFTEC sa - CEO eGuilde sarl - CTO

14 years, 7 months

[xwiki-devs] [Proposal] Fix inconsistencies in access to the change password feature

by Denis Gervalle

Hi devs, I would like to fix the current inconsistencies in the way the change password feature is implemented. Actually, to be able to change a password, you need to be able to save the document storing the XWikiUsers XObject. So edit right on the user profile is just what you require, but, if you want to use the "change password" feature implemented in passwd.vm, you need: - either being on your own profile or having global (!) admin right, just to see the "Change password" button - either being on your own profile or having (local) admin right on this profile, just to be able to use passwd.vm This seems to me really inconsistant, since these protections implemented in the UI part are either annoying or a false impression of security. So, I propose to simplify this by only checking the real requirements, which means only checking edit right on the user document ? WDYT ? Denis -- Denis Gervalle SOFTEC sa - CEO eGuilde sarl - CTO

14 years, 7 months

[xwiki-devs] xwiki-core-xmlrpc-client-2.1.1.jar

by Vivian Richard

Where can I find this jar file? On this page there is a link but it does not work - http://platform.xwiki.org/xwiki/bin/view/Features/XMLRPCJavaExamples the link is: http://maven.xwiki.org/releases/org/xwiki/platform/xwiki-core-xmlrpc-client…

14 years, 7 months

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

xwiki-devs May 2010