Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19349

It's possible to access a classloader file out of the "templates/" prefix through template manager

    XMLWordPrintable

Details

    • Integration
    • Unknown
    • N/A

    Description

      XCOMMONS-2347 makes it even worst because we can access any file from the WEB-INF/ folder in tomcat.

      We have a protection to make sure that we don't allow path that goes outside the "templates" folder for filesystem template but nothing for Classloader since it was not expected to go out of... well the Classloader. Problem is that the Tomcat (9.0.30) Classloader seems to fallback on the servlet resources allowing to access any file from the WAR with the right "../" trick.

      For example:

      {{template name="../../hibernate.cfg.xml"/}}

      This cannot be done using xpage URL parameter because it forces a ".vm" suffix to the template name.

      In any case it would be cleaner to forbid templates to go higher than the "templates/" folder (even if it's a lot less sensitive than "hibernate.cfg.xml") which is something possible no matter the application server.

      Attachments

        Issue Links

          is caused by

          Bug - A problem which impairs or prevents the functions of the product. XCOMMONS-2347 ServletEnvironment#getResource should not return URL with relative path component

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-13702 Make Template Manager fallback on embedded template file

          • Major - Major loss of function.
          • Closed

          Activity

            People

              tmortagne Thomas Mortagne
              tmortagne Thomas Mortagne
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: