Documentation Center

Excluding subfolders of alias file locations from use

In your cwd_engine_conf.xml, if your <sources> section contains a <urls> section that contains any entries that start with file:/// (that is, refer to a location on disk), then certain subfolders are excluded from use by default for security reasons. You may want to change this list of subfolders for custom security.

About this task

By default, users constructing an image transformation URL and using an alias that refers to a disk location cannot use any of the following folders:

  • WEB-INF
  • bin
  • .*, that is, any subfolder whose name starts with a period (.)

This means that, for example, given an alias local with value file:///C:/workspaces/images, by default, a user cannot append /source/local/foo/WEB-INF/bar.jpg to an image transformation URL, because bar.jpg is located in the excluded subfolder WEB-INF/. Similarly, /source/local/.settings/fred.jpg is not allowed.

These locations are excluded by default because they typically refer to sensitive locations on disk, which malicious users could take advantage of. Your disk locations may contain further or different sensitive locations. To configure those, you can add an <excludedFolders> element to the <sources> section. Note that if you do, the default set of folders no longer applies. To continue excluding those folders, add them to <excludedFolders>

Procedure

  1. Access the configuration location the CID microservice.
  2. Open cwd_engine_conf.xml for editing.
  3. Find the <sources> section.
  4. Within <sources>, directly below <urls>, insert a sibling element called <excludedFolders>.
  5. Set the value of <excludedFolders> to a comma-separated list of folders you would like to exclude.

    For example, the following <excludedFolders> element excludes all default excluded folders plus any folder named foo from use:

    <excludedFolders>WEB-INF, bin, .*, foo</excludedFolders>

    To simply exclude all subfolders, type the following:

    Note the following about each entry in this comma-separated list:
    • In the unlikely event that the name of the folder you want to exclude contains a comma, escape the comma by placing a backslash (\) before it.
    • Instead of a literal string, you can also include one or both of the following wildcard characters in the string:
      WildcardDescription
      *Represents any sequence of 0 or more characters except /, the forward slash.
      **Represents any sequence of 0 or more characters.
      For example, to simply exclude all subfolders, use:
      <excludedFolders>*</excludedFolders>
    • Instead of a literal string, you can also write a string that starts and ends with a slash /, which means that it will be read as a Java regular expression. The syntax of the regular expression is defined in the API documentation for the java.util.regex.Pattern class as found here: http://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html.
  6. Save and close cwd_engine_conf.xml and restart your microservice to apply your changes.