Hi Sergiu, Just my two cents since I have not thought deeply about it, but couldn't we benefit on the fact that we minimize those files ? If we impose that jrsx and ssrx files always got minimized, and that minimization somewhat does not succeed unless we have a valid input, it would limit a lot what could be read in the classpath ? Only Admin would still be able to request unminimized files for debugging. Is this really difficult or still present too much risks ?
On Sun, Jan 13, 2013 at 12:53 AM, Sergiu Dumitriu <[email protected]> wrote: > Hi devs, > > Initially I didn't activate the resource skin extensions plugins (jsrx > and ssrx) for security considerations, since they can be used to read > any file from the classpath. I had forgotten to work on that, and now > they have been enabled and used in their current implementation for a > while. This means that changing the behavior will cause backward > incompatibilities... > > So, I'm proposing that all skin resources packaged inside Jars should > reside under the /skinx/ root directory. This prefix shouldn't be > included in the pulled URL, it will be appended internally, and enforced > to prevent any /skinx/../privateresource tricks. > > For example: > > $xwiki.jsrx.use('/gmaps/gmaps.js') > > will look for /skinx/gmaps/gmaps.js inside jars and the /classes/ > directory. > > As a migration plan I'd like to implement this check ASAP, add a > configuration for enabling the old behavior (if no resource was found > with the skinx prefix, search without the prefix), which should be set > to true by default in 4.5. Trigger a warning (in the logs) when such a > deprecated resource is found. For 5.0 we switch to false by default, and > in 6.0 we remove the switch completely. > > WDYT? > -- > Sergiu Dumitriu > http://purl.org/net/sergiu > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > -- Denis Gervalle SOFTEC sa - CEO eGuilde sarl - CTO _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
