[richfaces-issues] [JBoss JIRA] Reopened: (RF-3586) URLs of resources are not predictable

Olivier Martin (JIRA) jira-events at lists.jboss.org
Mon Nov 17 09:15:37 EST 2008 

     [ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Olivier Martin reopened RF-3586:
--------------------------------



The proposed solution does not solve the issue, since the ! character is reserved by the W3C RFC on URIs :
http://www.faqs.org/rfcs/rfc1630.html

I'm going to be more precise about this issue, since a lot of our projects are being denied to go into production by the security department because of the URIs auto-generated by RichFaces. (in fact the original fix still does not solve the main issue here : the URLs are *NOT* predictible).

Before going into the details I would like to insist on the fact that many people are going to face the same issue here when developing in a corporate environment, there are rules and generating the URLs dynamically like this should be avoided. We will probably end up extracting and including the ressources by hand, which will allow us to control how they are cached anyway. 
-> The white list pattern is something I've seen a lot : everything is forbidden unless explicitely specified !

--- The details ---

URIs must comply to those RFC : 
http://www.faqs.org/rfcs/rfc1630.html
http://www.faqs.org/rfcs/rfc1738.html
http://www.faqs.org/rfcs/rfc1808.html
http://www.faqs.org/rfcs/rfc2396.html
http://www.faqs.org/rfcs/rfc3986.html

More client specific rules : 
- For directories, allowed characters are : 'a-z', 'A-Z', '0-9', '%', '_', '-'
- For file names, allowed are : 'a-z', 'A-Z', '0-9', '%', '_', '-', '.' (for extension), '=', '?'
- No multiple '/' or '.'
- No unicode
- No path depth > 8
etc...




> URLs of resources are not predictable
> -------------------------------------
>
>                 Key: RF-3586
>                 URL: https://jira.jboss.org/jira/browse/RF-3586
>             Project: RichFaces
>          Issue Type: Bug
>          Components: docs updated
>    Affects Versions: 3.1.4, 3.1.5, 3.2.0
>            Reporter: Olivier Martin
>            Assignee: Mikhail Vitenkov
>             Fix For: 3.2.2
>
>
> The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world.
> When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters.
> For instance the following URL has several problems :
> a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces
> * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release
> * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode()  ?!!
> * The part "eAF7P..bLgAIQwM." contains ".."' characters
> Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the richfaces-issues mailing list