From: Vincent | at: Mon, 16.11.2015, 11:53
On 16 Nov 2015 at 11:35:27, Caleb James DeLisle (cjd(a)cjdns.fr) wrote:
+1 for Option 2 or 2A
As I understand, we're only talking about URL escaped / which both Tomcat and Apache
httpd will
"do things with", tomcat blocks it, Apache either blocks or *unescapes* it
depending on setup.
To be clear is both “/“ and “\” for Tomcat (see my mail). I don’t know about Apache
HTTPD’s defaults (you have a pointer?).
-Vincent
Actually by default apache httpd does not allow encoded slashes at all:
https://httpd.apache.org/docs/2.4/en/mod/core.html#allowencodedslashes
Personally I prefer a third option:
- disallow '/' and '\' in page names completely when creating / renaming
pages
- in the UI, if the user enters these characters to add (or rename), scrap them from the
page name, or replace then by '-' (they will still show up in the title)
and create a new page with the name without the slashes
- make this configureable, like 'xwiki.pagename.forbiddenchars=/\\'
and then people who are able to set up their servlet container to allow slashes can
empty that config variable.
just an idea
Clemens
Thanks,
Caleb
On 16/11/15 10:21, vincent(a)massol.net wrote:
Hi guys,
I think we need to an agreement on how to handle the default Tomcat security which
disables the usage of / and \ in URLs (even URL-encoded). See
http://www.tomcatexpert.com/blog/2011/11/02/best-practices-securing-apache-…
We have 2 main options:
* Option 1: Tell users to disable this security feature of Tomcat:
http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security. In this case we
just need to review our code to ensure we’re not subject to directory traversal attacks
(see
https://en.wikipedia.org/wiki/Directory_traversal_attack).
* Option 2: Decide to make it easy for Tomcat users (since it’s probably the typical
servlet container used by our users) and to not use / and \ in our URLs.
Option 2 means modifying our code. There are various possibilities:
* A) Replace the “/“ and “\” characters by other characters in URLs and modify our URL
Serialization code (implementations of XWikiURLFactory) and our URL parsing code (URL
modules).
* B) Use a different encoding. Marius has used Base64 encoding for
http://jira.xwiki.org/browse/XWIKI-11528. However this cannot be a generic solution since
it leads to large URLs and also makes the URL not legible anymore. So this solution could
only be for internal URLs.
* Other?
For A), it could b a character like ‘|' for ‘/' (and thus “||" if you want
to have a real ‘|') and ‘~’ for ‘\’ (and “~~” if you want to have a real ‘\’).
So there are 2 questions in this thread:
* Do we want to be Tomcat-friendly?
* If so, what strategy do we apply?
WDYT?
Thanks
-Vincent
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs