10 Jan
2014
10 Jan
'14
6:26 p.m.
I am using tomcat 7.
Thank you for the advice in how to exclude the page, I will use it!
However, is there any way to block the usage of the slash by the users?
Not yet. As far as I understand the recommended fix is to reconfigure tomcat so it does
not forbid the encoded version of the slash as explained here:
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10
i.e. adding -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true to the
CATALINA_OPTS
The same note points out that without settign the other property there you can shoot
yourself in the foot with a backslash '\' as well, and I can fully confirm this
:)
As not every user might be willing to configure tomcat in a way that is considered
"disabling a security setting", I wonder if it would be acceptable to add a
configuration setting that contains a list of "illegal characters" for page
names, which then can be set to '\' and '/' if XWiki is running inside a
tomcat with its default configuration.
(Actually implementing this might be a bit tricky, as there are other ways to create a
page with a '/' in the name, e.g. rename, copy and XAR-import, just to mention the
few I can imagine on the spot ...)
Clemens