Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19349

It's possible to access a classloader file out of the "templates/" prefix through template manager

    XMLWordPrintable

    Details

    • Tests:
      Integration
    • Difficulty:
      Unknown
    • Documentation in Release Notes:
      N/A
    • Similar issues:

      Description

      XCOMMONS-2347 makes it even worst because we can access any file from the WEB-INF/ folder in tomcat.

      We have a protection to make sure that we don't allow path that goes outside the "templates" folder for filesystem template but nothing for Classloader since it was not expected to go out of... well the Classloader. Problem is that the Tomcat (9.0.30) Classloader seems to fallback on the servlet resources allowing to access any file from the WAR with the right "../" trick.

      For example:

      {{template name="../../hibernate.cfg.xml"/}}
      

      This cannot be done using xpage URL parameter because it forces a ".vm" suffix to the template name.

      In any case it would be cleaner to forbid templates to go higher than the "templates/" folder (even if it's a lot less sensitive than "hibernate.cfg.xml") which is something possible no matter the application server.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tmortagne Thomas Mortagne
              Reporter:
              tmortagne Thomas Mortagne
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: