On Sun, Jan 13, 2013 at 1:53 AM, Sergiu Dumitriu <[email protected]> wrote: > Hi devs, > > Initially I didn't activate the resource skin extensions plugins (jsrx > and ssrx) for security considerations, since they can be used to read > any file from the classpath. I had forgotten to work on that, and now > they have been enabled and used in their current implementation for a > while. This means that changing the behavior will cause backward > incompatibilities... > > So, I'm proposing that all skin resources packaged inside Jars should > reside under the /skinx/ root directory. This prefix shouldn't be > included in the pulled URL, it will be appended internally, and enforced > to prevent any /skinx/../privateresource tricks. > > For example: > > $xwiki.jsrx.use('/gmaps/gmaps.js') > > will look for /skinx/gmaps/gmaps.js inside jars and the /classes/ directory.
The downside is that we won't be able to (re)use JS/CSS from third party jars (not build by us). Why not filter access based on file extension? jsrx could accept only *.js and ssrx only *.css . Thanks, Marius > > As a migration plan I'd like to implement this check ASAP, add a > configuration for enabling the old behavior (if no resource was found > with the skinx prefix, search without the prefix), which should be set > to true by default in 4.5. Trigger a warning (in the logs) when such a > deprecated resource is found. For 5.0 we switch to false by default, and > in 6.0 we remove the switch completely. > > WDYT? > -- > Sergiu Dumitriu > http://purl.org/net/sergiu > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
