+1 for Option 2 or 2A As I understand, we're only talking about URL escaped / which both Tomcat and Apache httpd will "do things with", tomcat blocks it, Apache either blocks or *unescapes* it depending on setup.
Thanks, Caleb On 16/11/15 10:21, vinc...@massol.net wrote:
Hi guys, I think we need to an agreement on how to handle the default Tomcat security which disables the usage of / and \ in URLs (even URL-encoded). See http://www.tomcatexpert.com/blog/2011/11/02/best-practices-securing-apache-tomcat-7 We have 2 main options: * Option 1: Tell users to disable this security feature of Tomcat: http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security. In this case we just need to review our code to ensure we’re not subject to directory traversal attacks (see https://en.wikipedia.org/wiki/Directory_traversal_attack). * Option 2: Decide to make it easy for Tomcat users (since it’s probably the typical servlet container used by our users) and to not use / and \ in our URLs. Option 2 means modifying our code. There are various possibilities: * A) Replace the “/“ and “\” characters by other characters in URLs and modify our URL Serialization code (implementations of XWikiURLFactory) and our URL parsing code (URL modules). * B) Use a different encoding. Marius has used Base64 encoding for http://jira.xwiki.org/browse/XWIKI-11528. However this cannot be a generic solution since it leads to large URLs and also makes the URL not legible anymore. So this solution could only be for internal URLs. * Other? For A), it could b a character like ‘|' for ‘/' (and thus “||" if you want to have a real ‘|') and ‘~’ for ‘\’ (and “~~” if you want to have a real ‘\’). So there are 2 questions in this thread: * Do we want to be Tomcat-friendly? * If so, what strategy do we apply? WDYT? Thanks -Vincent _______________________________________________ devs mailing list devs@xwiki.org http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________ devs mailing list devs@xwiki.org http://lists.xwiki.org/mailman/listinfo/devs
