OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cmis message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Commented: (CMIS-677) Browser Binding URLpatterns


    [ http://tools.oasis-open.org/issues/browse/CMIS-677?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23341#action_23341 ] 

Jens Hübel commented on CMIS-677:
---------------------------------

Summarizing the discussion from Conf Call on Nov 8th, 2010

Concern: 
URIs with different objectIds are referring different CMIS resources. Therefore objectId should be part of the path in the URL and not a query string.

Justification of current proposal:
We can not make assumptions of the character set in the URI. There are known implementations which have a slash '/' in the object id for example. Usual solution is escaping, however there are two issues with escaping:

1)  A client may switch between AtomPub and WS binding and the object id would no longer stay the same. The object id also could be transferred between different applications using different bindings.

2) There is an issue with slash escaping in Tomcat.

Here some more investigation around 2)
see: http://tomcat.apache.org/security-6.html
search for: "important: Directory traversal CVE-2007-0450 "
some background also here: http://stackoverflow.com/questions/591694/url-encoded-slash-in-url:

RFC 3986 - Section 2.2 says: 
"If data for a URI component would conflict with a reserved character's purpose as a delimiter, 
then the conflicting data must be percent-encoded before the URI is formed." 
(RFC 3986 - Section 2.2)

But  if you have got an URL with the %2F character, Tomcat returns: "400 Invalid URI: noSlash"
There are config params available to change this behavior, for example:
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true 

Discussion and questions:
Can we live with the restriction that an object id in the browser binding is encoded if it contains reserved characters?
Can we live with the restriction that certain implementations might require a configuration of tomcat that opens a potential security issue in rare cases?
Should we consider other escaping mechanisms than percent encoding?
How do we prioritize "cleaner URL pattern" against "escaped object id"?





> Browser Binding URL patterns
> ----------------------------
>
>                 Key: CMIS-677
>                 URL: http://tools.oasis-open.org/issues/browse/CMIS-677
>             Project: OASIS Content Management Interoperability Services (CMIS) TC
>          Issue Type: Improvement
>          Components: Browser Binding
>            Reporter: Florian Mueller
>            Assignee: Gregory Melahn
>
> In order to keep browser binding clients as simple as possible we should introduce fixed URL patterns.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]