Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-17482

detail why it is a security risk to have clickable links in the preview

    Details

    • Type: Information
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 5.1.2
    • Fix Version/s: None
    • Component/s: Share Application
    • Labels:
      None
    • Environment:
      any
    • ACT Numbers:

      00811635

      Description

      In Jira MNT-15613 the customer has requested that we consider allowing clickable links in the share preview page.
      Engineering closed the request saying that it would be a security risk to allow links.

      Customer believes there would be no new security risk and Support could not show evidence of a security risks.

      Things we have looked at:
      1) try to understand what previewer we use.
      On my 5.1.2 system it seems we use:
      /tomcat/webapps/share/components/preview/pdfjs/pdf.js

      2) confirm that pdf.js can do links looking at the project documentation:

      https://github.com/mozilla/pdf.js/issues/3172

      see comment

      Any recent version of Firefox lets you right-click on anything that looks enough like an URL and then do "Open Link".
      

      3) try to do it using a PDF with links.
      a) go to: http://mozilla.github.io/pdf.js/web/viewer.html
      b) click on the "Open file" icon
      c) upload the attached test.pdf
      d) right click on the link
      conclusion: it works see attached video "click_preview.mp4"

      4) we do not understand what would be the difference in risk between allowing links in the DOM preview and allowing links in othe rparts of Share (wiki, html content)

      5) HTML tags in the other part of the product can be white/black listed see
      https://community.alfresco.com/community/ecm/blog/kevinr1/blog/2012/06/19/configuring-the-share-html-processing-blackwhite-list/

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                closedissues Closed Issues
                Reporter:
                amadon Alex Madon [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: