Hi Clements, On 16 Nov 2015 at 12:36:08, Clemens Klein-Robbenhaar (c.robbenh...@espresto.com(mailto:c.robbenh...@espresto.com)) wrote:
> > > From: Vincent | at: Mon, 16.11.2015, 11:53 > > > > On 16 Nov 2015 at 11:35:27, Caleb James DeLisle (c...@cjdns.fr) wrote: > > > > +1 for Option 2 or 2A > > > > As I understand, we're only talking about URL escaped / which both Tomcat > > and Apache httpd will > > "do things with", tomcat blocks it, Apache either blocks or *unescapes* it > > depending on setup. > > > > > > To be clear is both “/“ and “\” for Tomcat (see my mail). I don’t know > > about Apache HTTPD’s defaults (you have a pointer?). > > > > -Vincent > > > > > > Actually by default apache httpd does not allow encoded slashes at all: > > https://httpd.apache.org/docs/2.4/en/mod/core.html#allowencodedslashes > > > Personally I prefer a third option: > - disallow '/' and '\' in page names completely when creating / renaming pages > - in the UI, if the user enters these characters to add (or rename), scrap > them from the page name, or replace then by '-' (they will still show up in > the title) > and create a new page with the name without the slashes > - make this configureable, like 'xwiki.pagename.forbiddenchars=/\\' > and then people who are able to set up their servlet container to allow > slashes can empty that config variable. This covers only a portion of all the use cases, unless you also want to disable “.”, “:”, “@“, “^” characters in page names because if you don’t then they’ll be escaped in serialized references which can surface in the URL (as shown by http://jira.xwiki.org/browse/XWIKI-11528 and by the URL format I’m proposing for Zip URLs. The reference URL scheme is also affected obviously, see http://design.xwiki.org/xwiki/bin/view/Design/AlternateURLScheme). Thanks -Vincent > just an idea > Clemens > > > > > Thanks, > > Caleb > > > > > > On 16/11/15 10:21, vinc...@massol.net wrote: > >> Hi guys, > >> > >> I think we need to an agreement on how to handle the default Tomcat > >> security which disables the usage of / and \ in URLs (even URL-encoded). > >> See > >> http://www.tomcatexpert.com/blog/2011/11/02/best-practices-securing-apache-tomcat-7 > >> > >> We have 2 main options: > >> > >> * Option 1: Tell users to disable this security feature of Tomcat: > >> http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html#Security. > >> In this case we just need to review our code to ensure we’re not subject > >> to directory traversal attacks (see > >> https://en.wikipedia.org/wiki/Directory_traversal_attack). > >> > >> * Option 2: Decide to make it easy for Tomcat users (since it’s probably > >> the typical servlet container used by our users) and to not use / and \ in > >> our URLs. > >> > >> Option 2 means modifying our code. There are various possibilities: > >> * A) Replace the “/“ and “\” characters by other characters in URLs and > >> modify our URL Serialization code (implementations of XWikiURLFactory) and > >> our URL parsing code (URL modules). > >> * B) Use a different encoding. Marius has used Base64 encoding for > >> http://jira.xwiki.org/browse/XWIKI-11528. However this cannot be a generic > >> solution since it leads to large URLs and also makes the URL not legible > >> anymore. So this solution could only be for internal URLs. > >> * Other? > >> > >> For A), it could b a character like ‘|' for ‘/' (and thus “||" if you want > >> to have a real ‘|') and ‘~’ for ‘\’ (and “~~” if you want to have a real > >> ‘\’). > >> > >> So there are 2 questions in this thread: > >> * Do we want to be Tomcat-friendly? > >> * If so, what strategy do we apply? > >> > >> WDYT? > >> > >> Thanks > >> -Vincent > >> > >> > >> > >> > >> _______________________________________________ > >> devs mailing list > >> devs@xwiki.org > >> http://lists.xwiki.org/mailman/listinfo/devs > >> > > _______________________________________________ > > devs mailing list > > devs@xwiki.org > > http://lists.xwiki.org/mailman/listinfo/devs > > _______________________________________________ > > devs mailing list > > devs@xwiki.org > > http://lists.xwiki.org/mailman/listinfo/devs > > > _______________________________________________ > devs mailing list > devs@xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs _______________________________________________ devs mailing list devs@xwiki.org http://lists.xwiki.org/mailman/listinfo/devs
