Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
6.1-milestone-2
-
Integration
-
Low
-
Unknown
-
N/A
-
Description
It could have been as wide as XWIKI-19349 but Tomcat seems to have a weird partial resolution of input URLs: for http://127.0.0.1:8080/xwiki/webjars/wiki%3Axwiki/../../../hibernate.cfg.xml it behave as if it was http://127.0.0.1:8080/hibernate.cfg.xml (and produce an error right away) but for http://127.0.0.1:8080/xwiki/webjars/wiki%3Axwiki/../../hibernate.cfg.xml it does not do anything special and XWiki receive the full URL. Fortunately 2 .. is not enough to go out of the classloader thanks to the META-INF/resources/webjars/ webjar resource prefix.
Still it would be safer to have a real protection in the webjar resource handler, it does not really make sense to allow to go out of the webjar prefix anyway.
Note that you cannot exploit that in Firefox or Chrome because they resolve the ../../ in the URL before sending it.
Putting minor as it's limited to resources located under META-INF/ so pretty limited security issue (and not at all with a clean XWiki Standard since everything under META-INF is public resources anyway) but it might be a problem if you have some sensitive data in there in some extension you installed.
Attachments
Issue Links
- depends on
-
XCOMMONS-3327 Provide an internal helper to safely access ClassLoader resources
-
- Closed
-
- is related to
-
-
- Closed
-