Block freemarker template files being delivered publicly through WebFileValve - Best practice
28 views
Skip to first unread message
Thorben Heins
Dec 14, 2015, 6:10:46 AM12/14/15
to Hippo Community
Hi folks,
we stumbled over the fact, that it is possible to read all the template files publicly through the /webfiles resource, which is not very desirable at all. Is there a best practice to prevent that? I looked into the WebFileValve which does not seem to check for any attributes on the nodes before writing the binary into the output stream.
My first approach will be to implement my own valve that is invoked before the webfiles one and block /webfiles/[cacheBuster]/freemarker/* requests, returning a 403.
Maybe there is a less workaround way to address this issue? Is there an easy way to store the ftls somewhere else in the JCR entirely?
Any other suggestions?
Greetings,
Thorben
Ard Schrijvers
Dec 14, 2015, 6:19:56 AM12/14/15
to hippo-c...@googlegroups.com
Hey Thorben,
This has been tackled some time ago as a security issue, see [1]. It
has been publicly announced on the 17th of November, see [2].
HTH,
Regards Ard
[1] http://www.onehippo.org/security-issues-list/security-4.html
[2] https://groups.google.com/forum/#!msg/hippo-community/jZu8gJSkcHk/6L1D5zu4BwAJ
> --
> Hippo Community Group: The place for all discussions and announcements about
> Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google Groups
> "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to hippo-communi...@googlegroups.com.
> Visit this group at https://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.
--
Hippo Netherlands, Oosteinde 11, 1017 WT Amsterdam, Netherlands
Hippo USA, Inc. 71 Summer Street, 2nd Floor Boston, MA 02110, United
states of America.
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com
This has been tackled some time ago as a security issue, see [1]. It
has been publicly announced on the 17th of November, see [2].
HTH,
Regards Ard
[1] http://www.onehippo.org/security-issues-list/security-4.html
[2] https://groups.google.com/forum/#!msg/hippo-community/jZu8gJSkcHk/6L1D5zu4BwAJ
> Hippo Community Group: The place for all discussions and announcements about
> Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google Groups
> "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to hippo-communi...@googlegroups.com.
> Visit this group at https://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.
--
Hippo Netherlands, Oosteinde 11, 1017 WT Amsterdam, Netherlands
Hippo USA, Inc. 71 Summer Street, 2nd Floor Boston, MA 02110, United
states of America.
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
www.onehippo.com
Thorben Heins
Dec 14, 2015, 8:36:02 AM12/14/15
to Hippo Community
Hi Ard,
thanks for the quick reply. This whitelisting approach looks a lot better. Guess we will be updating to 10.1.0 then and use it instead of building a legacy no one needs.
Are there any upgrading guidelines (first timer here)?
Regards,
Regards,
Thorben
Ard Schrijvers
Dec 14, 2015, 9:47:34 AM12/14/15
to hippo-c...@googlegroups.com
If you don't use targeting, upgrading from 10.x to 10.1.y pretty much
boils down to bumping the release pom and rebuild and then deploy with
-Drepo.bootstrap=true
HTH,
Regards Ard
boils down to bumping the release pom and rebuild and then deploy with
-Drepo.bootstrap=true
HTH,
Regards Ard
Thorben Heins
Dec 14, 2015, 11:29:19 AM12/14/15
to Hippo Community
Good to know (not using targeting). Why is the bootstrapping necessary in this case?
Thanks!
Thorben
Ard Schrijvers
Dec 14, 2015, 11:59:01 AM12/14/15
to hippo-c...@googlegroups.com
On Mon, Dec 14, 2015 at 5:29 PM, Thorben Heins <ma...@thorben-heins.de> wrote:
> Good to know (not using targeting). Why is the bootstrapping necessary in
> this case?
Because in minor upgrade we can introduce compatible features which
> Good to know (not using targeting). Why is the bootstrapping necessary in
> this case?
require some bootstrap content.
This is also described at [1] but does require a login to read
Regards Ard
[1] http://www.onehippo.org/library/upgrade-minor-versions/upgrade-10.0.x-to-10.1.y.html
Thorben Heins
Dec 14, 2015, 12:13:32 PM12/14/15
to Hippo Community
And the only way to get a login is to buy the enterprise license?
Stefan Schinkel
Dec 14, 2015, 12:44:42 PM12/14/15
to hippo-c...@googlegroups.com
Hi Thorben, indeed.
The Enterprise documentation is only accessible for clients with an enterprise license or Hippo OnDemand contract. Would you be interested in an enterprise license?
Best
Stefan
Ate Douma
Dec 14, 2015, 3:43:44 PM12/14/15
to hippo-c...@googlegroups.com
On 2015-12-14 18:44, Stefan Schinkel wrote:
> Hi Thorben, indeed.
>
> The Enterprise documentation is only accessible for clients with an enterprise
> license or Hippo OnDemand contract. Would you be interested in an enterprise
> license?
To be precise: only upgrade documentation and a few specific topics concerning
> Hi Thorben, indeed.
>
> The Enterprise documentation is only accessible for clients with an enterprise
> license or Hippo OnDemand contract. Would you be interested in an enterprise
> license?
Enterprise specific installations, are reserved.
All other documentation, including for Enterprise features, is publicly available.
> >> >> Europe +31(0)20 522 4466 <tel:%2B31%280%2920%20522%204466>
> >> >> www.onehippo.com <http://www.onehippo.com>
> >> >
> >> > --
> >> > Hippo Community Group: The place for all discussions and
> announcements
> >> > about
> >> > Hippo CMS (and HST, repository etc. etc.)
> >> >
> >> > To post to this group, send email to hippo-c...@googlegroups.com
> >> > RSS:
> >> >
> >> >
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
>
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "Hippo Community" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to hippo-communi...@googlegroups.com.
> >> > Visit this group at https://groups.google.com/group/hippo-community.
> >> > For more options, visit https://groups.google.com/d/optout.
> >>
> >>
> >>
> >> --
> >> Hippo Netherlands, Oosteinde 11, 1017 WT Amsterdam, Netherlands
> >> Hippo USA, Inc. 71 Summer Street, 2nd Floor Boston, MA 02110, United
> >> states of America.
> >>
> >> US +1 877 414 4776 <tel:%2B1%20877%20414%204776> (toll free)
> >> > --
> >> > Hippo Community Group: The place for all discussions and
> announcements
> >> > about
> >> > Hippo CMS (and HST, repository etc. etc.)
> >> >
> >> > To post to this group, send email to hippo-c...@googlegroups.com
> >> > RSS:
> >> >
> >> >
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
>
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "Hippo Community" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to hippo-communi...@googlegroups.com.
> >> > Visit this group at https://groups.google.com/group/hippo-community.
> >> > For more options, visit https://groups.google.com/d/optout.
> >>
> >>
> >>
> >> --
> >> Hippo Netherlands, Oosteinde 11, 1017 WT Amsterdam, Netherlands
> >> Hippo USA, Inc. 71 Summer Street, 2nd Floor Boston, MA 02110, United
> >> states of America.
> >>
> >> Europe +31(0)20 522 4466 <tel:%2B31%280%2920%20522%204466>
> >> www.onehippo.com <http://www.onehippo.com>
> >
> > --
> > Hippo Community Group: The place for all discussions and
> announcements about
> > Hippo CMS (and HST, repository etc. etc.)
> >
> > To post to this group, send email to hippo-c...@googlegroups.com
> > RSS:
> >
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
>
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "Hippo Community" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send an
> > email to hippo-communi...@googlegroups.com.
> > Visit this group at https://groups.google.com/group/hippo-community.
> > For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Hippo Netherlands, Oosteinde 11, 1017 WT Amsterdam, Netherlands
> Hippo USA, Inc. 71 Summer Street, 2nd Floor Boston, MA 02110, United
> states of America.
>
> US +1 877 414 4776 <tel:%2B1%20877%20414%204776> (toll free)
> > --
> > Hippo Community Group: The place for all discussions and
> announcements about
> > Hippo CMS (and HST, repository etc. etc.)
> >
> > To post to this group, send email to hippo-c...@googlegroups.com
> > RSS:
> >
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
>
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "Hippo Community" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send an
> > email to hippo-communi...@googlegroups.com.
> > Visit this group at https://groups.google.com/group/hippo-community.
> > For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Hippo Netherlands, Oosteinde 11, 1017 WT Amsterdam, Netherlands
> Hippo USA, Inc. 71 Summer Street, 2nd Floor Boston, MA 02110, United
> states of America.
>
> Europe +31(0)20 522 4466 <tel:%2B31%280%2920%20522%204466>
> www.onehippo.com <http://www.onehippo.com>
>
> --
> Hippo Community Group: The place for all discussions and announcements about
> Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> <mailto:hippo-c...@googlegroups.com>
> --
> Hippo Community Group: The place for all discussions and announcements about
> Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google Groups
> "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to hippo-communi...@googlegroups.com
> <mailto:hippo-communi...@googlegroups.com>.
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google Groups
> "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to hippo-communi...@googlegroups.com
> Visit this group at https://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> Hippo Community Group: The place for all discussions and announcements about
> Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google Groups "Hippo
> Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email
> to hippo-communi...@googlegroups.com
> <mailto:hippo-communi...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> Hippo Community Group: The place for all discussions and announcements about
> Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS: https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google Groups "Hippo
> Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email
> to hippo-communi...@googlegroups.com
> Visit this group at https://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.
--
mailto:in...@onehippo.com http://www.onehippo.com http://www.onehippo.org
> For more options, visit https://groups.google.com/d/optout.
--
Hippo B.V. The Netherlands Oosteinde 11, 1017 WT Amsterdam +31 (0)20 522 4466
Hippo USA Inc. 71 Summer Street, 2nd Floor, Boston MA 02110 +1 877 414 4776
_______________________________________________________________________________
This e-mail may be privileged and/or confidential, and the sender does not
waive any related rights and obligations. Any distribution, use or copying of
this e-mail or the information it contains by other than an intended recipient
is unauthorized. If you received this e-mail in error, please advise me (by
return e-mail or otherwise) immediately.
Reply all
Reply to author
Forward
0 new messages