From: Vincent | at: Mon, 16.11.2015, 11:53 > > On 16 Nov 2015 at 11:35:27, Caleb James DeLisle (c...@cjdns.fr) wrote: > > +1 for Option 2 or 2A > > As I understand, we're only talking about URL escaped / which both Tomcat and > Apache httpd will > "do things with", tomcat blocks it, Apache either blocks or *unescapes* it > depending on setup. > > > To be clear is both “/“ and “\” for Tomcat (see my mail). I don’t know about > Apache HTTPD’s defaults (you have a pointer?). > > -Vincent > >
Actually by default apache httpd does not allow encoded slashes at all: https://httpd.apache.org/docs/2.4/en/mod/core.html#allowencodedslashes Personally I prefer a third option: - disallow '/' and '\' in page names completely when creating / renaming pages - in the UI, if the user enters these characters to add (or rename), scrap them from the page name, or replace then by '-' (they will still show up in the title) and create a new page with the name without the slashes - make this configureable, like 'xwiki.pagename.forbiddenchars=/\\' and then people who are able to set up their servlet container to allow slashes can empty that config variable. just an idea Clemens > > Thanks, > Caleb > > > On 16/11/15 10:21, vinc...@massol.net wrote: >> Hi guys, >> >> I think we need to an agreement on how to handle the default Tomcat security >> which disables the usage of / and \ in URLs (even URL-encoded). See >> http://www.tomcatexpert.com/blog/2011/11/02/best-practices-securing-apache-tomcat-7 >> >> We have 2 main options: >> >> * Option 1: Tell users to disable this security feature of Tomcat: >> http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security. In >> this case we just need to review our code to ensure we’re not subject to >> directory traversal attacks (see >> https://en.wikipedia.org/wiki/Directory_traversal_attack). >> >> * Option 2: Decide to make it easy for Tomcat users (since it’s probably the >> typical servlet container used by our users) and to not use / and \ in our >> URLs. >> >> Option 2 means modifying our code. There are various possibilities: >> * A) Replace the “/“ and “\” characters by other characters in URLs and >> modify our URL Serialization code (implementations of XWikiURLFactory) and >> our URL parsing code (URL modules). >> * B) Use a different encoding. Marius has used Base64 encoding for >> http://jira.xwiki.org/browse/XWIKI-11528. However this cannot be a generic >> solution since it leads to large URLs and also makes the URL not legible >> anymore. So this solution could only be for internal URLs. >> * Other? >> >> For A), it could b a character like ‘|' for ‘/' (and thus “||" if you want >> to have a real ‘|') and ‘~’ for ‘\’ (and “~~” if you want to have a real >> ‘\’). >> >> So there are 2 questions in this thread: >> * Do we want to be Tomcat-friendly? >> * If so, what strategy do we apply? >> >> WDYT? >> >> Thanks >> -Vincent >> >> >> >> >> _______________________________________________ >> devs mailing list >> devs@xwiki.org >> http://lists.xwiki.org/mailman/listinfo/devs >> > _______________________________________________ > devs mailing list > devs@xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ > devs mailing list > devs@xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ devs mailing list devs@xwiki.org http://lists.xwiki.org/mailman/listinfo/devs
