Skip to Content

IRC Archive for channel #xwiki

Last modified by Vincent Massol on 2012/10/18 19:12

florinciu joined #xwiki at 00:04
florinciu left at 00:35 (Read error: Connection reset by peer
abusenius left at 00:51 (Quit: Konversation terminated!
lucaa left at 01:29 (Ping timeout: 258 seconds
sdumitriu left at 03:17 (Ping timeout: 240 seconds
mflorea joined #xwiki at 06:25
nuvolari left at 07:21 (Excess Flood
nuvolari joined #xwiki at 07:22
nuvolari left at 07:24 (Changing host
nuvolari joined #xwiki at 07:24
kibahop joined #xwiki at 08:00
vmassol joined #xwiki at 08:16
sburjan joined #xwiki at 08:26
plunden joined #xwiki at 08:30
vmassol left at 08:50 (Quit: Leaving.
vmassol joined #xwiki at 08:53
vmassol1 joined #xwiki at 08:53
vmassol left at 08:58 (Ping timeout: 265 seconds
vmassol joined #xwiki at 09:14
vmassol1 left at 09:14 (Read error: Connection reset by peer
SvenDowideit left at 09:15 (Ping timeout: 264 seconds
SvenDowideit joined #xwiki at 09:18
SvenDowideit_ joined #xwiki at 09:22
SvenDowideit left at 09:23 (Ping timeout: 258 seconds
SvenDowideit_ is now known as SvenDowideit ([email protected]
Enygma` joined #xwiki at 09:26
silviar joined #xwiki at 09:27
lucaa joined #xwiki at 09:28
mflorea left at 09:33 (Quit: Leaving.
arkub joined #xwiki at 09:33
evalica joined #xwiki at 09:43
florinciu joined #xwiki at 09:52
sburjan - (09:52): hello guys. Question.
sburjan - (09:53): when I try to import an Office Document, I get an error saying "This feature requires an active openoffice server which we could not locate, please contact your administrator to resolve this issue. "
sburjan - (09:54): Is this normal ?
vmassol - (09:54): hi sburjan
vmassol - (09:54): yes it's normal
sburjan - (09:54): okay
tmortagne joined #xwiki at 10:04
evalica1 joined #xwiki at 10:11
sdumitriu joined #xwiki at 10:12
Denis joined #xwiki at 10:13
evalica left at 10:13 (Ping timeout: 272 seconds
KermitTheFragger joined #xwiki at 10:18
abusenius joined #xwiki at 10:23
jvdrean joined #xwiki at 10:30
CalebJamesDeLisl - (10:36): Good morning. It's too bad we can't flip the order of the 1.0 renderers because IMO 5272 is a blocker.
evalica1 is now known as evalica ([email protected]
mflorea joined #xwiki at 10:40
abusenius - (10:42): CalebJamesDeLisl: why do you think it is worse than 5223?
abusenius - (10:42): the result is the same emoticon_smile
CalebJamesDeLisl - (10:42): In 5223 you are restricted, (no <>"&)
CalebJamesDeLisl - (10:43): Not a good excuse though. They are related, I'd like to fix them both at the same time.
abusenius - (10:44): well, unless you want to do arithmetic its fine
abusenius - (10:44): " is not a problem
CalebJamesDeLisl - (10:44): These are both runious which is why I think it's worth it to break backward compatibility.
CalebJamesDeLisl - (10:44): *ruinous
abusenius - (10:45): I agree, those things should have never been allowed
CalebJamesDeLisl - (10:46): vmassol: What say you to adding a config param for breaking 1.0 renderer compatibility?
vmassol - (10:46): I don't understand why you want to touch the 1.0 rendernig engine, it shouldn't be touched
vmassol - (10:46): it's read only basically
vmassol - (10:46): and only there for backward compat
vmassol - (10:46): so we shoudn't touch it as much as possible
vmassol - (10:47): it's deprecated if you prefer
CalebJamesDeLisl - (10:47): To plug a _big_ hole.
vmassol - (10:47): the rendering 1.0 *IS* a big hole by itself
vmassol - (10:47): this is why we wrote the 2.0 one
CalebJamesDeLisl - (10:47): Well, XSS is not good but this hole is really bad.
abusenius - (10:47): there is no difference whether some insecure code is deprecated or not, as long as its is accessible, it can be exploitet
CalebJamesDeLisl - (10:48): see: 5272 and the list of documents.
vmassol - (10:48): well we do allow not making the 1.0 syntax avail
vmassol - (10:48): it's a config option
CalebJamesDeLisl - (10:49): Not sure that each of those has the hole but I can see that some do.
vmassol - (10:49): if you define a new config param you'll need to hav eit off by default so it won't help
abusenius - (10:49): this one should be on
CalebJamesDeLisl - (10:49): Why off by default? New installations won't need this.
vmassol - (10:49): then you break backward compat and you're going to hurt a lot of people
abusenius - (10:50): IMO there is no point in trying to make new code secure if there are still tons of old security holes kept for backward compatibility with old exploits
CalebJamesDeLisl - (10:50): Meaning upgrades?
vmassol - (10:50): hmm you're right, if people are caeful
vmassol - (10:50): they won't merge it
vmassol - (10:50): *careful
vmassol - (10:50): so it means off by default
CalebJamesDeLisl - (10:50): IMO people should merge it and only revert if there is a problem.
vmassol - (10:50): ie when it doesn't exist it's off
vmassol - (10:51): CalebJamesDeLisl: people won't know about it
CalebJamesDeLisl - (10:51): Also we are going to have to put out a bulletin for this IMO.
vmassol - (10:51): anywya needs to be discussed on the security list not here
abusenius - (10:51): true
CalebJamesDeLisl - (10:52): Well I'll send a proposal there.
sburjan left at 10:59 (Read error: Connection reset by peer
sburjan_ joined #xwiki at 10:59
jvelo joined #xwiki at 11:20
CalebJamesDeLisl - (11:28): Anyone (vmassol?) have a problem with me applying Alex's "no nested scripts" patch? http://jira.xwiki.org/jira/browse/XWIKI-5223
vmassol - (11:29): I can have a quick look to see if I spot anything wrong
vmassol - (11:30): tmortagne will want to review it too I'm sure
vmassol - (11:30): I can already see some things that need to be fixed before applying it
vmassol - (11:30): like:`
vmassol - (11:30): -.expect|event/1.0
vmassol - (11:30): +.# Skipped, since nested scripts are not allowed any more, but it is hard to match the error trace here
vmassol - (11:31): I don't like it FTM
vmassol - (11:31): wait I mis-read something
vmassol - (11:31): so I remove that last statement
vmassol - (11:31): emoticon_wink
vmassol - (11:31): stillr eading
vmassol - (11:32): thought alex had introduced the notion of script in abstractblock…. emoticon_wink
CalebJamesDeLisl - (11:32): But you have no problem with the basic idea that scripts shouldn't be nested?
vmassol - (11:32): ah yes he has
vmassol - (11:32):    currentBlock.setIsScript(true);
vmassol - (11:32): I don't like that part FTM (I'd need to understand it better)
vmassol - (11:33): CalebJamesDeLisl: I have no idea, haven't thought about it
vmassol - (11:33): I don't like that the checks are done internally as a general rule
vmassol - (11:33): I would have thought about some external rules
vmassol - (11:33): applied to an xdom
tmortagne - (11:33): i'm still not 100% sure about and and having script noting at AbstractBlock level is bad for sure
vmassol - (11:33): if someone wants nested scripts he won't be able not to run the filter
vmassol - (11:34): I'm ?1 to apply it as is
vmassol - (11:34): (after a quick review)
vmassol - (11:34): it adds the notion of scripts in several places
vmassol - (11:34): which shouldn't be aware of that
CalebJamesDeLisl - (11:35): -1 to the concept of blocking script in script?
vmassol - (11:35): (MAcroMaarkerBlock for ex)
tmortagne - (11:35): i don't even understand why he needs that
vmassol - (11:36): CalebJamesDeLisl: no, ?1 to hard code stuff and especially in places that shouldn't know about it
tmortagne - (11:36): also the patch contains lot's of code unrelated to the nested script blocking thing
vmassol - (11:36): (we need to keep an extensible implementation)
abusenius - (11:37): the reason why I added isScript is that I didn't wanted to hardcode "groovy" "velocity" etc
tmortagne - (11:37): abusenius: you don't need that
abusenius - (11:37): how do I distinguish between script and not script?
tmortagne - (11:37): just get the macro component and check if it's a ScriptMacro
abusenius - (11:38): but it ist the script macro, its a macro block that was added after macro execution
abusenius - (11:38): s/ist/isnt/
vmassol - (11:39): could it be that you want generic markers?
tmortagne - (11:39): and ? you know the macro id and all macros have corresponding components
tmortagne - (11:39): just get the component based on it
vmassol - (11:39): (haven't really thought about your algo though)
abusenius - (11:40): vmassol, well I wanted to distinguish differen macro types
abusenius - (11:40): but I need to look at the way tmortagne is suggesting
vmassol - (11:40): ok
tmortagne - (11:40): for now there is only an abstract for script macro i think but we can introduce a interface to be cleaner
tmortagne - (11:41): i need to open Eclipse but that's the second time it crashes...
abusenius - (11:42): vmassol: re skipped tests, I could find an easy way to match arbitrary error trace in unit test, I wrote functional tests instead
abusenius - (11:42): (for those 2)
vmassol - (11:43): abusenius: what I meant is that skipping tests is not a solution
vmassol - (11:43): either the tests are removed for some reason or they are executed
vmassol - (11:43): skipping is like commenting out code
abusenius - (11:44): well, it was meant as a temporary measure
vmassol - (11:44): sure
vmassol - (11:44): but I was responding to caleb
vmassol - (11:45): that it needs to be fixed before applying the patch
tmortagne - (11:45): abusenius: checked, there is only AbstractScriptMacro but you can introduce a ScriptMacro interface (it was not needed before and check the type based on an abstract is not nice) in the same package (it's a public package)
CalebJamesDeLisl - (11:45): Hmm how about ScriptMacroMarkerBlock extends MacroMarkerBlock then just check what type of class it is?
tmortagne - (11:46): CalebJamesDeLisl: the MacroBlock is generated by the generic macro transformation
tmortagne - (11:46): it doe snot know anything about scripts
tmortagne - (11:46): s/MacroBlock/MacroMarkerBlock/
CalebJamesDeLisl - (11:46): Ok. I'm not very well versed in the renderer.
abusenius - (11:50): tmortagne: ok, I'll update the patch accordingly
Enygma`1 joined #xwiki at 11:53
mflorea1 joined #xwiki at 11:53
tmortagne - (11:54): abusenius, CalebJamesDeLisl: btw after some tough i'm ok with this blocking nested script things in theses use case since if you really need that for a valid use case you can use other ways like special macro or programatically which are less easy but it's maybe better to let only users that knows what they do support this
evalica1 joined #xwiki at 11:54
florinciu1 joined #xwiki at 11:54
lucaa1 joined #xwiki at 11:55
silviar1 joined #xwiki at 11:55
silviar1 left #xwiki at 11:55
lucaa left at 11:56 (Ping timeout: 240 seconds
silviar left at 11:56 (Ping timeout: 240 seconds
Enygma` left at 11:56 (Ping timeout: 240 seconds
mflorea left at 11:56 (Ping timeout: 264 seconds
florinciu left at 11:56 (Ping timeout: 252 seconds
evalica left at 11:56 (Ping timeout: 265 seconds
vmassol - (11:57): tmortagne: you mean putting the check by default in AbstractScript instead of doing it in a filter (in a Tx for ex)?
sburjan_ left at 11:57 (Ping timeout: 240 seconds
vmassol - (11:57): why couldn't it be done in a Tx btw?
mflorea joined #xwiki at 11:57
vmassol - (11:57): (it was meant for this kind of use cases)
CalebJamesDeLisl - (11:58): Tx? Transformation?
evalica joined #xwiki at 11:58
vmassol - (11:58): yes
CalebJamesDeLisl - (11:58): I asked the same, it's because you can hide a macro inside of an html macro.
Enygma`1 left at 11:58 (Ping timeout: 276 seconds
CalebJamesDeLisl - (11:59): Failed to execute the [velocity] macro. Cause: [Nested scripts are not allowed. Current Script Macro [velocity] (source [dev:IRC.xwikiArchive20100614]) is executed inside Script Macro [velocity] (source [dev:IRC.xwikiArchive20100614])]. Click on this message for details.

About

About

Support

Platform

User Guide

Admin Guide

Developer Guide

Projects

XWiki

Extensions

Other

Contribute

Status

Practices

Under the Hood

Get Involved

Get Connected