New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Only allow `http:` and `https:` URLs for services #3577

Closed
ebruchez opened this Issue May 2, 2018 · 4 comments

Comments

Projects
1 participant
@ebruchez
Collaborator

ebruchez commented May 2, 2018

@ebruchez ebruchez self-assigned this May 2, 2018

@ebruchez

This comment has been minimized.

Show comment
Hide comment
@ebruchez

ebruchez May 3, 2018

Collaborator

As a first step:

  • allow http: and https: URLs in the HTTP Services dialog
  • block uses of the file: URL everywhere by default
Collaborator

ebruchez commented May 3, 2018

As a first step:

  • allow http: and https: URLs in the HTTP Services dialog
  • block uses of the file: URL everywhere by default
@ebruchez

This comment has been minimized.

Show comment
Hide comment
@ebruchez

ebruchez May 3, 2018

Collaborator

See also #3578.

Collaborator

ebruchez commented May 3, 2018

See also #3578.

@ebruchez ebruchez added this to To Review in Orbeon Forms 2017.2.2 May 18, 2018

ebruchez added a commit that referenced this issue May 22, 2018

@ebruchez

This comment has been minimized.

Show comment
Hide comment
@ebruchez

ebruchez May 22, 2018

Collaborator

file: is used in a few places for temporary files. Form Runner, for example, saves attachments using <xf:submission>, which reads them from a temporary file.

Do we need to configure this per model? Form Runner could be allowed to use the file: scheme, but not fr-form-model.

Things we need to prevent using file: for:

  • Form Builder HTTP services
  • manually inserted a schema, <xf:instance>, <xf:submission>
  • <xf:output> with image mediatype and pointing to a URL
  • possibly more!

One thing we could do first is prohibit file: everywhere except if the file URL starts with the path of java.io.tmpdir. That would be a first step.

Collaborator

ebruchez commented May 22, 2018

file: is used in a few places for temporary files. Form Runner, for example, saves attachments using <xf:submission>, which reads them from a temporary file.

Do we need to configure this per model? Form Runner could be allowed to use the file: scheme, but not fr-form-model.

Things we need to prevent using file: for:

  • Form Builder HTTP services
  • manually inserted a schema, <xf:instance>, <xf:submission>
  • <xf:output> with image mediatype and pointing to a URL
  • possibly more!

One thing we could do first is prohibit file: everywhere except if the file URL starts with the path of java.io.tmpdir. That would be a first step.

@ebruchez

This comment has been minimized.

Show comment
Hide comment
@ebruchez

ebruchez May 22, 2018

Collaborator

Closing. We can sandbox things more in the future, in particular #3578 will still be an issue.

Collaborator

ebruchez commented May 22, 2018

Closing. We can sandbox things more in the future, in particular #3578 will still be an issue.

@ebruchez ebruchez closed this May 22, 2018

@ebruchez ebruchez added this to Done in Orbeon Forms 2018.1 via automation May 22, 2018

Orbeon Forms 2017.2.2 automation moved this from To Review to Done May 22, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment