<br><br>On Friday, July 25, 2014, Lucas Holmquist <<a href="mailto:lholmqui@redhat.com">lholmqui@redhat.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><br><div><div>On Jul 25, 2014, at 10:29 AM, Matthias Wessendorf <<a href="javascript:_e(%7B%7D,'cvml','matzew@apache.org');" target="_blank">matzew@apache.org</a>> wrote:</div>
<br><blockquote type="cite"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jul 25, 2014 at 4:16 PM, Lucas Holmquist <span dir="ltr"><<a href="javascript:_e(%7B%7D,'cvml','lholmqui@redhat.com');" target="_blank">lholmqui@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><br><div><div><div>On Jul 25, 2014, at 9:38 AM, Matthias Wessendorf <<a href="javascript:_e(%7B%7D,'cvml','matzew@apache.org');" target="_blank">matzew@apache.org</a>> wrote:</div>
<br><blockquote type="cite"><div dir="ltr" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<div class="gmail_extra"><br><br><br><div class="gmail_quote">On Fri, Jul 25, 2014 at 3:33 PM, Bruno Oliveira<span> </span><span dir="ltr"><<a href="javascript:_e(%7B%7D,'cvml','bruno@abstractj.org');" target="_blank">bruno@abstractj.org</a>></span><span> </span>wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi Tadeas, you are correct. Apache web server disallow %2F or %5C<br>
due to security concerns. There are several alternatives, most of them<br>workarouds, some people double encode it, others replace / by _ back and<br>forth or some people disable it like:<br><br><VirtualHost *:80><br>
<span> </span>AllowEncodedSlashes On<br></VirtualHost><br></blockquote><div><br></div><div>so, looks like it was a stupid idea to use the pushEndpoint as the 'deviceToken'.</div><div><br></div><div>Perhaps we should make UPS.js generate a UUID and use that as deviceToken and send the pushEndpoint as part of the JSON, similar to like we did before.</div>
<div>(But before we were using the SimplePush channelID as the deviceToken, which is clearly a no-go)<br></div></div></div></div></blockquote><div><br></div></div><div>i’ll need to look into this more, but i sort of like the fact that the UPS.js is somewhat stateless and doesn’t care about SimplePush, since it is also used for GCM for Chrome</div>
</div></div></blockquote><div><br></div><div><br></div><div>I can see that - but ... thinking... I'd also like to get rid of returning any payload from the registration endpoint. I think some of the simplifications in simplepush are part of the issue. not sure</div>
</div></div></div></blockquote><div>didn’t realize anything is sent back, in our examples, using UPS.js, we don’t do anything with the returned value</div></div></div></blockquote><div><br></div><div>Yep, dont rely on it <span></span></div>
<div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div><div><br></div><br><blockquote type="cite"><div dir="ltr">
<div class="gmail_extra"><div class="gmail_quote">
<div><br></div><div>I like it, but it's just different :)</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div><div>
<br><blockquote type="cite"><div dir="ltr" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<div class="gmail_extra"><div class="gmail_quote"><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>I hope it helps, otherwise let me know how I can help.<br><div><br>On 2014-07-25, Tadeas Kriz wrote:<br>><br>> —<br>> Tadeas Kriz<br>><br>> On 25 Jul 2014, at 01:09 pm, Daniel Bevenius <<a href="javascript:_e(%7B%7D,'cvml','daniel.bevenius@gmail.com');" target="_blank">daniel.bevenius@gmail.com</a>> wrote:<br>
><br>> > > it might work, although I’m not sure if this is the best solution “on the market”.<br>> > It may not be the best solution and feel free to ignore it.<br>> ><br>><br>> I’d love to test it first. My only concern is whether or not might it be a security issue. I think that’s something that Bruno might know.<br>
><br>> ><br>> ><br>> ><br>> > On 25 July 2014 12:55, Tadeas Kriz <<a href="javascript:_e(%7B%7D,'cvml','tkriz@redhat.com');" target="_blank">tkriz@redhat.com</a>> wrote:<br>
> ><br>> > —<br>> > Tadeas Kriz<br>
> ><br>> > On 25 Jul 2014, at 12:38 pm, Daniel Bevenius <<a href="javascript:_e(%7B%7D,'cvml','daniel.bevenius@gmail.com');" target="_blank">daniel.bevenius@gmail.com</a>> wrote:<br>> ><br>
> >> >What do you mean by that regex?<br>
> >> That the JAXRS implementation should not disallow as '/' in the path.<br>> ><br>> > Well, if it was like:<br>> ><br>> > ```<br>> > DELETE /rest/registry/installation/<a href="http://localhost:8321/asdasd" target="_blank">http://localhost:8321/asdasd</a><br>
> > ```<br>> ><br>> > and the token you showed would match all the characters (which means that the `String token` would become `<a href="http://localhost:8321/asdasd" target="_blank">http://localhost:8321/asdasd`</a><span> </span>in the endpoint method), it might work, although I’m not sure if this is the best solution “on the market”.<br>
> ><br>> >><br>> >> >The problem is simply the “%2F” in the token (which is an URLencoded simplepush url) and it’s being revoked long before it hits the RestEasy (which does the routing according to what’s in the @Path).<br>
> >> I guess I don't understand why this would be revoked by anything before it hits the JAXRS implementation, but if that is the case you are right and adding this would not help.<br>> >><br>> ><br>
> > This was a solution for a security hole. As I understand it, on linux, scripts cannot tell difference between “/“ and “%2F” and because of that, it’s forbidden to use as a path parameter (at least on Tomcat).<br>
> ><br>> >><br>> >><br>> >><br>> >><br>> >><br>> >> On 25 July 2014 12:25, Tadeas Kriz <<a href="javascript:_e(%7B%7D,'cvml','tkriz@redhat.com');" target="_blank">tkriz@redhat.com</a>> wrote:<br>
> >><br>> >> —<br>> >> Tadeas Kriz<br>> >><br>> >> On 25 Jul 2014, at 11:04 am, Daniel Bevenius <<a href="javascript:_e(%7B%7D,'cvml','daniel.bevenius@gmail.com');" target="_blank">daniel.bevenius@gmail.com</a>> wrote:<br>
> >><br>> >>> >5. don’t use the url as a deviceToken (might not comply with Mozzila’s SimplePush specs)<br>> >>> The deviceToken is an UPS concept and there is nothing in the SimplePush spec which is violated in this case.<br>
> >>><br>> >><br>> >> I thought that deviceTokens were changed from a generated value to the URL just to comply with Mozzila’s SimplePush specs. Matzew, why was the generated token removed then?<br>
> >><br>> >>> I'm not sure about what the best option is for UPS thought. Would a regex in for the @Path annotation work perhaps, something like:<br>> >>><br>> >>> @DELETE<br>
> >>> @Path("{token, .+}")<br>> >>> public Response unregisterInstallations(<br>> >>><br>> >><br>> >> What do you mean by that regex? The problem is simply the “%2F” in the token (which is an URLencoded simplepush url) and it’s being revoked long before it hits the RestEasy (which does the routing according to what’s in the @Path).<br>
> >><br>> >>><br>> >>> On 25 July 2014 10:32, Tadeas Kriz <<a href="javascript:_e(%7B%7D,'cvml','tkriz@redhat.com');" target="_blank">tkriz@redhat.com</a>> wrote:<br>
> >>><br>> >>> —<br>
> >>> Tadeas Kriz<br>> >>><br>> >>> On 24 Jul 2014, at 05:44 pm, Karel Piwko <<a href="javascript:_e(%7B%7D,'cvml','kpiwko@redhat.com');" target="_blank">kpiwko@redhat.com</a>> wrote:<br>
> >>><br>
> >>> > On Thu, Jul 24, 2014 at 3:28 PM, Tadeas Kriz <<a href="javascript:_e(%7B%7D,'cvml','tkriz@redhat.com');" target="_blank">tkriz@redhat.com</a>> wrote:<br>> >>> >><br>
> >>> >> It should not. For hibernate, it’s just a string like any other.<br>
> >>> >> The problem might be in the configuration of<span> </span><a href="http://jax.rs/RestEasy" target="_blank">JAX.RS/RestEasy</a>. If<br>> >>> >> I’ll have some time today evening, I’ll try to fix it, it should<br>
> >>> >> be an easy fix.<br>> >>> ><br>> >>> > Last famous words? ;-)<br>> >>> ><br>> >>><br>> >>> I shall never say “an easy fix” again.<br>
> >>><br>> >>> > But I agree. Everything is string and URL encode should happen on<br>> >>> > client while server should automatically decode and work always with<br>> >>> > just decoded string. If we need to encode twice, something is wrong.<br>
> >>> ><br>> >>><br>> >>> Anyway, the 400 Bad request response is made by the tomcat itself, disallowing the use of %2F as a path parameter. This will probably apply on other web containers.<br>
> >>><br>> >>> Possible solutions with their disadvantages:<br>> >>><br>> >>> 1. well-documented double-encoding of the URL (might be confusing)<br>> >>> 2. use @QueryParam instead of @PathParam (breaks the api consistence, as every other call would still use @PathParam)<br>
> >>> 3. allow @QueryParam (again, breaks the api consistence, but only for the SimplePush)<br>> >>> 4. find another encoding (Base64 for URL = URLEncode then Base64 encode)<br>> >>> 5. don’t use the url as a deviceToken (might not comply with Mozzila’s SimplePush specs)<br>
> >>><br>> >>> What do you think guys?<br>> >>><br>> >>> >><br>> >>> >><br>> >>> ><br>> >>> ><br>> >>> > _______________________________________________<br>
> >>> > aerogear-dev mailing list<br>> >>> ><span> </span><a href="javascript:_e(%7B%7D,'cvml','aerogear-dev@lists.jboss.org');" target="_blank">aerogear-dev@lists.jboss.org</a><br>
> >>> ><span> </span><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
> >>><br>> >>><br>> >>> _______________________________________________<br>> >>> aerogear-dev mailing list<br>> >>><span> </span><a href="javascript:_e(%7B%7D,'cvml','aerogear-dev@lists.jboss.org');" target="_blank">aerogear-dev@lists.jboss.org</a><br>
> >>><span> </span><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>> >>><br>> >>> _______________________________________________<br>
> >>> aerogear-dev mailing list<br>> >>><span> </span><a href="javascript:_e(%7B%7D,'cvml','aerogear-dev@lists.jboss.org');" target="_blank">aerogear-dev@lists.jboss.org</a><br>> >>><span> </span><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
> >><br>> >><br>> >> _______________________________________________<br>> >> aerogear-dev mailing list<br>> >><span> </span><a href="javascript:_e(%7B%7D,'cvml','aerogear-dev@lists.jboss.org');" target="_blank">aerogear-dev@lists.jboss.org</a><br>
> >><span> </span><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>> >><br>> >> _______________________________________________<br>
> >> aerogear-dev mailing list<br>> >><span> </span><a href="javascript:_e(%7B%7D,'cvml','aerogear-dev@lists.jboss.org');" target="_blank">aerogear-dev@lists.jboss.org</a><br>> >><span> </span><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
> ><br>> ><br>> > _______________________________________________<br>> > aerogear-dev mailing list<br>> ><span> </span><a href="javascript:_e(%7B%7D,'cvml','aerogear-dev@lists.jboss.org');" target="_blank">aerogear-dev@lists.jboss.org</a><br>
> ><span> </span><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>> ><br>> > _______________________________________________<br>
> > aerogear-dev mailing list<br>> ><span> </span><a href="javascript:_e(%7B%7D,'cvml','aerogear-dev@lists.jboss.org');" target="_blank">aerogear-dev@lists.jboss.org</a><br>> ><span> </span><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
><br><br></div>--<br><br>abstractj<br>PGP: 0x84DC9914<br><div>_______________________________________________<br>aerogear-dev mailing list<br><a href="javascript:_e(%7B%7D,'cvml','aerogear-dev@lists.jboss.org');" target="_blank">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></div></blockquote></div><br><br clear="all"><div><br></div>--<span> </span><br>
Matthias Wessendorf<span> </span><br><br>blog:<span> </span><a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions:<span> </span><a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter:<span> </span><a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a></div></div><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">_______________________________________________</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">aerogear-dev mailing list</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<a href="javascript:_e(%7B%7D,'cvml','aerogear-dev@lists.jboss.org');" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">aerogear-dev@lists.jboss.org</a><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></blockquote>
</div></div><br></div><br>_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="javascript:_e(%7B%7D,'cvml','aerogear-dev@lists.jboss.org');" target="_blank">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br>
<br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div>
_______________________________________________<br>aerogear-dev mailing list<br><a href="javascript:_e(%7B%7D,'cvml','aerogear-dev@lists.jboss.org');" target="_blank">aerogear-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></blockquote>
</div><br></div></blockquote><br><br>-- <br>Sent from Gmail Mobile<br>