Headline
CVE-2022-29253: XWIKI-19349: Bad handling of classloader templates path resolution · xwiki/xwiki-platform@4917c8f
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with version 8.3-rc-1 and prior to versions 12.10.3 and 14.0, one can ask for any file located in the classloader using the template API and a path with “…” in it. The issue is patched in versions 14.0 and 13.10.3. There is no easy workaround for this issue.
@@ -24,6 +24,8 @@
import java.lang.reflect.Type;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.AbstractSet;
import java.util.Arrays;
import java.util.Collections;
@@ -896,14 +898,23 @@ private EnvironmentTemplate getFileSystemTemplate(String templateName)
: null;
}
private Template getClassloaderTemplate(String suffixPath, String templateName)
private Template getClassloaderTemplate(String prefixPath, String templateName)
{
return getClassloaderTemplate(Thread.currentThread().getContextClassLoader(), suffixPath, templateName);
return getClassloaderTemplate(Thread.currentThread().getContextClassLoader(), prefixPath, templateName);
}
private Template getClassloaderTemplate(ClassLoader classloader, String suffixPath, String templateName)
private Template getClassloaderTemplate(ClassLoader classloader, String prefixPath, String templateName)
{
String templatePath = suffixPath + templateName;
String templatePath = prefixPath + templateName;
// Prevent access to resources from other directories
Path normalizedResource = Paths.get(templatePath).normalize();
// Protect against directory attacks.
if (!normalizedResource.startsWith(prefixPath)) {
this.logger.warn("Direct access to skin file [{}] refused. Possible break-in attempt!", normalizedResource);
return null;
}
URL url = classloader.getResource(templatePath);
Related news
### Impact One can ask for any file located in the classloader using the template API and a path with ".." in it. For example ``` {{template name="../xwiki.hbm.xml"/}} ``` To our knownledge none of the available files of the classloader in XWiki Standard contain any strong confidential data, hence the low confidentiality value of this advisory. ### Patches The issue is patched in versions 14.0 and 13.10.3. ### Workarounds There's no easy workaround for this issue, administrators should upgrade their wiki. ### References * https://jira.xwiki.org/browse/XWIKI-19349 * https://github.com/xwiki/xwiki-platform/commit/4917c8f355717bb636d763844528b1fe0f95e8e2 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [security mailing list](mailto:[email protected])