Uploaded image for project: 'Confluence Server'
  1. Confluence Server
  2. CONFSERVER-28103

Expand external links security filtering to allow digits, plus, hyphen and periods in protocol

    XMLWordPrintable

    Details

      Description

      The allowable protocols for external links was expanded in this task: https://jira.atlassian.com/browse/CONF-24665

      The regex used is still too restrictive for some customers. And should be expanded to match the allowable characters as per the RFC whilst continuing to restrict dangerous protocols.

      Workaround

      1. Find <confluence_install>/confluence/WEB-INF/lib/confluence-4.x.x.jar and extract the contents of this file somewhere
      2. Locate and edit com/atlassian/confluence/content/render/xhtml/antisamy-confluence-storage.xml
      3. Around line 54 or so there should be a regex matching file, smb, irc, etc, similar to the following line:
        <regexp name="offsiteURL"
                    value="(\s)*(((ht|f)tp(s?)|file|smb|irc|news|nntp|feed|cvs|git|svn|mvn|ssh|itms|notes)://|mailto:)[\p{L}\p{N}/]+[\p{L}\p{N}\p{Zs}\.\#@\$%\+&amp;;:\-_~,\?=/!\(\)]*(\s)*" />
        
      1. Add the desired protocol to this list (e.g. 'hansoft' or 'exp2') to this list and save. Should look like this
        <regexp name="offsiteURL"
                    value="(\s)*(((ht|f)tp(s?)|file|smb|irc|news|nntp|feed|cvs|git|svn|mvn|ssh|itms|notes)://|mailto:|exp2:)[\p{L}\p{N}/]+[\p{L}\p{N}\p{Zs}\.\#@\$%\+&amp;;:\-_~,\?=/!\(\)]*(\s)*" />
        
      1. Place the modified XML file in the following directory: <confluence-install>/confluence/WEB-INF/classes/com/atlassian/confluence/content/render/xhtml/ (create the directories if they do not exist)
      2. Restart Confluence

      Please note that allowing Confluence to save/render more link types can be a potential security risk. Additionally, this workaround is not a supported operation and may not be applicable to future upgrades as the product changes.

      Workaround with Collaborative Editing On

      1. In addition to the steps above, as of 6.2.2, it's possible to do the following
      2. Find <confluence_install>/confluence/WEB-INF/atlassian-bundled-plugins/confluence-collaborative-editor-plugin-x.y.z.jar
      3. Create a backup of the jar somewhere in a different directory.
      4. Extract the contents and locate the two files js/util/is-valid-uri.js and js/util/is-valid-uri-min.js.
      5. In both files, locate the list of allowed protocols (you can search for mailto: for example), and add the required protocols to that list separated by |. Proper JS Regex escaping is required here, so if the protocol is my-protocol1:// for example, it should be entered as
        my-protocol1:\\/\\/

        Repackage the jar, and restart Confluence.

      Please note that allowing Confluence to save/render more link types can be a potential security risk. Additionally, this workaround is not a supported operation and may not be applicable to future upgrades as the product changes.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              slancashire Steven Lancashire
              Votes:
              43 Vote for this issue
              Watchers:
              41 Start watching this issue

                Dates

                Created:
                Updated: