Managing an image transformation URL whitelist
By default, CID accepts any URL under http://localhost. During implementation, you may want to allow all such URLs (or even more), but once CID goes into production, it is advisable to restrict the URLs that a user can use to a whitelist of allowed URLs, which you can configure in cwd_engine_conf.xml. Trying to convert an image that does not match the whitelist results in a WARN log message and returns a 1 by 1 pixel transparent GIF.
Procedure
- In your CID Web application, navigate to WEB-INF/classes/ (Java) or to bin\config\ (.NET).
- Open cwd_engine_conf.xml for editing. Find the
<context>section, which contains the following fragment:<image> <whitelist> <enabled>true</enabled> <urls> <localhost>http://localhost**</localhost> </urls> </whitelist> </image>This means that whitelisting is now enabled, and restricted to URLs that start with the string
http://localhost(meaning any image on the local Web site). If you specified any aliases for files or file locations in the<sources>section of this file, then those locations and files are automatically whitelisted, provided that they are added to the image transformation URL as aliases. That is, a<sources>entry<foo>http://www.example.com/images/</foo>means that/source/foo/bar.jpgcan be added to the image transformation URL, but/www.example.com/images/bar.jpgcannot (unless you explicitly add the URL in the<whitelist>section). - If you are currently implementing CID, and you trust all users constructing image transformation URLs to only use safe sources for images, consider disabling whitelisting altogether by setting the value of the
<enabled>tofalse. Alternatively, you may leave whitelisting enabled, but extend the URLs from which images may be obtained. - If you want to specify whitelist entries beyond
localhostand beyond the locations or files mentioned under<sources>, then within<urls>, create one or more child elements to represent additional entries for your whitelist. Each child element must have a unique name, and must contain one of the following as its value:- URL with wildcard character
-
The value of the child element can be a URL containing one or both of the following wildcards:
Wildcard Description *Represents any sequence of 0 or more characters except /, the forward slash.**Represents any sequence of 0 or more characters. For example, a
<urls>section may look as follows:<urls> <corporateImagesUrl>http://www.example.com*/images/*.jpg</corporateImagesUrl> <localImagesUrl>http://localhost:9090/images**/*.jpg</localImagesUrl> </urls>This configuration has the following effects:- The
corporateImagesURLelement allows any JPEG files located in a www.example.com root folder called images/ (but not in any of its subfolders). These files are allowed regardless of which port is used to access www.example.com, so long as an HTTP protocol is used (rather than HTTPS). - The
localImagesURLelement allows any JPEG files located anywhere under thelocalhost:9090root folder called images/ (including any of its subfolders), so long as an HTTP protocol is used (rather than HTTPS). - Images from any other source are not accepted.
- The
- Regular expression representing a set of URLs
-
Alternatively, the value of the child element can start and end with a
/character to indicate that the string enclosed between these two forward slashes is a Java regular expression.The following example
<urls>section demonstrates a number of regular expressions:<urls> <localImagesUrl>/^http://127\.0\.0\.1*/images/*\.jpg.*$/</localImagesUrl> <exampleSiteImagesUrl>/^http://www\.example\.com.*$/</exampleSiteImagesUrl> <testSitesImagesUrl>/^http://www\.test[0-9]*\.com/.*$/</testSitesImagesUrl> </urls>The syntax of the regular expression is defined in the API documentation for the java.util.regex.Pattern class as found here: http://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html.
- Save and close cwd_engine_conf.xml and restart your Web application.