I really don't like Option 2, it will only lead to way too much
complexity and it's impossible to do it clean. URL already have
encoding syntax and Tomcat should follow it as it's supposed to. It's
much better and not very hard to finally add a first validator page in
the DW to check things like Tomcat setting, memory allocation etc.
On Mon, Nov 16, 2015 at 10:21 AM, vincent(a)massol.net <vincent(a)massol.net> wrote:
Hi guys,
I think we need to an agreement on how to handle the default Tomcat security which
disables the usage of / and \ in URLs (even URL-encoded). See
http://www.tomcatexpert.com/blog/2011/11/02/best-practices-securing-apache-…
We have 2 main options:
* Option 1: Tell users to disable this security feature of Tomcat:
http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security. In this case we
just need to review our code to ensure we’re not subject to directory traversal attacks
(see
https://en.wikipedia.org/wiki/Directory_traversal_attack).
* Option 2: Decide to make it easy for Tomcat users (since it’s probably the typical
servlet container used by our users) and to not use / and \ in our URLs.
Option 2 means modifying our code. There are various possibilities:
* A) Replace the “/“ and “\” characters by other characters in URLs and modify our URL
Serialization code (implementations of XWikiURLFactory) and our URL parsing code (URL
modules).
* B) Use a different encoding. Marius has used Base64 encoding for
http://jira.xwiki.org/browse/XWIKI-11528. However this cannot be a generic solution since
it leads to large URLs and also makes the URL not legible anymore. So this solution could
only be for internal URLs.
* Other?
For A), it could b a character like ‘|' for ‘/' (and thus “||" if you want
to have a real ‘|') and ‘~’ for ‘\’ (and “~~” if you want to have a real ‘\’).
So there are 2 questions in this thread:
* Do we want to be Tomcat-friendly?
* If so, what strategy do we apply?
WDYT?
Thanks
-Vincent
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
--
Thomas Mortagne