Hi devs,
Initially I didn't activate the resource skin extensions plugins (jsrx
and ssrx) for security considerations, since they can be used to read
any file from the classpath. I had forgotten to work on that, and now
they have been enabled and used in their current implementation for a
while. This means that changing the behavior will cause backward
incompatibilities...
So, I'm proposing that all skin resources packaged inside Jars should
reside under the /skinx/ root directory. This prefix shouldn't be
included in the pulled URL, it will be appended internally, and enforced
to prevent any /skinx/../privateresource tricks.
For example:
$xwiki.jsrx.use('/gmaps/gmaps.js')
will look for /skinx/gmaps/gmaps.js inside jars and the /classes/ directory.
As a migration plan I'd like to implement this check ASAP, add a
configuration for enabling the old behavior (if no resource was found
with the skinx prefix, search without the prefix), which should be set
to true by default in 4.5. Trigger a warning (in the logs) when such a
deprecated resource is found. For 5.0 we switch to false by default, and
in 6.0 we remove the switch completely.
WDYT?
--
Sergiu Dumitriu
http://purl.org/net/sergiu
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs
