Re: [xwiki-devs] [Brainstorming] Avoid / and \ in URLs to be nice with default Tomcat security?

Mon, 16 Nov 2015 02:54:08 -0800 


On 16 Nov 2015 at 11:35:27, Caleb James DeLisle (c...@cjdns.fr) wrote:

+1 for Option 2 or 2A

As I understand, we're only talking about URL escaped / which both Tomcat and 
Apache httpd will
"do things with", tomcat blocks it, Apache either blocks or *unescapes* it 
depending on setup.


To be clear is both “/“ and “\” for Tomcat (see my mail). I don’t know about 
Apache HTTPD’s defaults (you have a pointer?).

-Vincent



Thanks,
Caleb


On 16/11/15 10:21, vinc...@massol.net wrote:
> Hi guys,
>
> I think we need to an agreement on how to handle the default Tomcat security 
> which disables the usage of / and \ in URLs (even URL-encoded). See 
> http://www.tomcatexpert.com/blog/2011/11/02/best-practices-securing-apache-tomcat-7
>
> We have 2 main options:
>
> * Option 1: Tell users to disable this security feature of Tomcat: 
> http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security. In 
> this case we just need to review our code to ensure we’re not subject to 
> directory traversal attacks (see 
> https://en.wikipedia.org/wiki/Directory_traversal_attack).
>
> * Option 2: Decide to make it easy for Tomcat users (since it’s probably the 
> typical servlet container used by our users) and to not use / and \ in our 
> URLs.
>
> Option 2 means modifying our code. There are various possibilities:
> * A) Replace the “/“ and “\” characters by other characters in URLs and 
> modify our URL Serialization code (implementations of XWikiURLFactory) and 
> our URL parsing code (URL modules).
> * B) Use a different encoding. Marius has used Base64 encoding for 
> http://jira.xwiki.org/browse/XWIKI-11528. However this cannot be a generic 
> solution since it leads to large URLs and also makes the URL not legible 
> anymore. So this solution could only be for internal URLs.
> * Other?
>
> For A), it could b a character like ‘|' for ‘/' (and thus “||" if you want to 
> have a real ‘|') and ‘~’ for ‘\’ (and “~~” if you want to have a real ‘\’).
>
> So there are 2 questions in this thread:
> * Do we want to be Tomcat-friendly?
> * If so, what strategy do we apply?
>
> WDYT?
>
> Thanks
> -Vincent
>
>
>
>
> _______________________________________________
> devs mailing list
> devs@xwiki.org
> http://lists.xwiki.org/mailman/listinfo/devs
>
_______________________________________________
devs mailing list
devs@xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs@xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs






















					Reply via email to