Daily Log for #alfresco IRC Channel

Alfresco discussion and collaboration. Stick around a few hours after asking a question.

Official support for Enterprise subscribers: support.alfresco.com.

Joining the Channel:

Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.

More information about the channel is in the wiki.

Getting Help

More help is available in this list of resources.

Daily Log for #alfresco

2018-04-12 01:55:52 GMT <digcat> ~later tell resplin catch up when your about, is it possible to have the later tell stuff on the orderofthebee group?

2018-04-12 01:55:52 GMT <alfbot> digcat: The operation succeeded.

2018-04-12 06:21:42 GMT <yreg> Morning everyone !

2018-04-12 06:21:55 GMT *** yreg is now known as Guest66864

2018-04-12 06:29:14 GMT <Modestas> Hello guys

2018-04-12 06:29:43 GMT <Modestas> I have a question how to enable logging into catalina.out under windows?

2018-04-12 06:36:33 GMT <Guest66864> Modestas: did you use OOTB alfresco installers ?

2018-04-12 06:36:56 GMT <Guest66864> btw, it has been a while since we 've seen you around here

2018-04-12 06:37:25 GMT <Modestas> ou yea.. have been busy, working more with AFaust

2018-04-12 06:38:21 GMT <Modestas> getting back to catalina.out we are still on Alfresco community 5.0.c

2018-04-12 06:39:13 GMT <Guest66864> there should be an alfresco.log in the alfresco install folder

2018-04-12 06:39:24 GMT <Guest66864> if you installed using official installer

2018-04-12 06:39:57 GMT <Guest66864> similarily there should be a share.log and a solr.log as well for the different webapps

2018-04-12 06:40:46 GMT <fcorti> Sorry yreg (or Guest66864) for yesterday lacks in replying but my child required some attention. :-)

2018-04-12 06:41:59 GMT <Guest66864> Modestas: also in the %TOMCAT_HOME%\logs there should be a file with all the logs combined, be aware tomcat for windows sometimes logs to the wrong file (so instead of checking the timestamp on the filename, check last modification date ;-) )

2018-04-12 06:42:13 GMT <Guest66864> no worries fcorti !

2018-04-12 06:44:16 GMT <Guest66864> I commented on the original ticket for that feature, I hope it gets some attention by Gavin... as the current output of that API may be easily corrupted on somespecial cases ...

2018-04-12 06:46:51 GMT <fcorti> Good that you left a comment. It is the right place to (try to) influence the team on this.

2018-04-12 07:58:36 GMT <DarkStar1> morning everybody

2018-04-12 08:53:06 GMT <AFaust> angelborroy: Feel free to correct me if I was misinterpreting your tweet...

2018-04-12 08:59:43 GMT <angelborroy> AFaust I absolutely agree with you

2018-04-12 09:00:00 GMT <angelborroy> And your English is better than mine (also your mind is sharper)

2018-04-12 09:00:10 GMT <angelborroy> So, go ahead and let me know if I can help :)

2018-04-12 09:03:18 GMT <mbui> A security test has been done on our Alfresco for one of our customers. One of the points were that some of Alfrescos OOTB APIs were considered "information leak", meaning a potentially hacker can take the advantage and user information, email-adresses, admin users etc. Thoughts on this?

2018-04-12 09:03:59 GMT <mbui> These are some of those APIs mentioned: https://pastebin.com/uhZR5aMK

2018-04-12 09:04:00 GMT <alfbot> Title: share/proxy/alfresco/api/sites/<sitename>/memberships?size=250&nf=&authorityType - Pastebin.com (at pastebin.com)

2018-04-12 09:05:48 GMT <angelborroy> If ha hacker is able to hack this, then you have a more serious problem than the “information leak”

2018-04-12 09:06:03 GMT <AFaust> I recently had a customer ask me to comment on a security report as well where "information leak" was a complaint

2018-04-12 09:06:28 GMT <AFaust> Turns out, most / all of the reported items are false-positive because of too strict / stupid rules...

2018-04-12 09:06:29 GMT *** yreg is now known as Guest12097

2018-04-12 09:06:42 GMT <angelborroy> +1

2018-04-12 09:07:29 GMT <angelborroy> mbui if someone is hacking these API calls by sniffing the traffic, then the problem is not in the APIs

2018-04-12 09:07:52 GMT <AFaust> i.e. the report would complain if a response contained the same value as provided in a URL query - well, gee, that happens when the response is reporting what parameters were used to execute an operation

2018-04-12 09:07:59 GMT <angelborroy> mbui if someone is hacking these API calls because he stealed a password, then again the problem is not in the APIs

2018-04-12 09:08:48 GMT <AFaust> (though I just realise, my example was from the false-positive XSS complaints)

2018-04-12 09:08:49 GMT <angelborroy> mbui if someone is hacking these API calls because he has installed a hack on client browser, then again the problem is not in the APIs

2018-04-12 09:09:08 GMT <angelborroy> (probably I can follow with this all the morning :))

2018-04-12 09:10:12 GMT <AFaust> There is one potentially valid item of "information leak" when an error response contains information about the version of Alfresco etc. - this can be dealt with by customising the default status template...

2018-04-12 09:11:02 GMT <AFaust> Though you wouldn't need that information to determine which Alfresco version a target has (as a hacker) - you'd just try to call some APIs added in specific versions and check which ones report a 404...

2018-04-12 09:13:34 GMT <AFaust> And some of the information disclosure (i.e. email addresses in user profiles / "modified by" links in HTML) are by design (provided the user is authenticated), so if you wanted to make Alfresco not "leak" that information, you'd have to restrict its usability / feature set...

2018-04-12 09:13:43 GMT <mbui> Isn't it considered an information leak if you can access information from a private site you don't have access to with a simple API call? Such as share/proxy/alfresco/api/sites/<sitename>/memberships?size=250&nf=&authorityType=USER

2018-04-12 09:15:00 GMT <AFaust> If it really were the case that the user was not authenticated / not a member of the site or not an admin, then yes... But AFAIK that API checks permissions, so there should be no disclosure...

2018-04-12 09:17:53 GMT <qwebirc94514> Hi Guys

2018-04-12 09:18:23 GMT <qwebirc94514> upload for large file fails I have created pastebin of exception logs

2018-04-12 09:18:24 GMT <qwebirc94514> https://pastebin.com/xig6HdcP

2018-04-12 09:18:25 GMT <alfbot> Title: 2018-04-09 16:52:57,080 INFO [org.springframework.extensions.webscripts.connect - Pastebin.com (at pastebin.com)

2018-04-12 09:19:20 GMT <AFaust> qwebirc94514: Did you check that there isn't a network element (proxy / gateway) that might limit the size of the upload?

2018-04-12 09:21:48 GMT <qwebirc94514> No there are none AFAIK because sometimes the file ~3GB upload successfully

2018-04-12 09:22:05 GMT <mbui> AFaust: Correction, you can access information on public sites with "Moderated site membership" that you are not a member of.

2018-04-12 09:22:41 GMT <qwebirc94514> https://issues.alfresco.com/jira/browse/MNT-2439 could my issue be related to this ?

2018-04-12 09:24:51 GMT <AFaust> mbui: Yes, that would be expected because a public moderated site means that everyone has read access on the site, and by extension its members (to know how to contact)

2018-04-12 09:25:13 GMT <AFaust> Though by default that would not be shown in the Share UI, the permission model allows for this

2018-04-12 09:25:40 GMT <mbui> Lol, the security report complained about the long deprecated YUI2 being used.

2018-04-12 09:26:10 GMT <mbui> AFaust: I see.

2018-04-12 09:26:27 GMT <AFaust> Though technically speaking, the site member groups never had any special permission protection, so even if you could not access that specific API because you did not have read access to the private site, if you knew its name, you could just call the regular authority APIs to list members on a low-level...

2018-04-12 09:27:16 GMT <AFaust> Since the site member groups are all based on a standard name convention

2018-04-12 10:00:08 GMT <mbui> Where can you customize the default status template? I.e. the Surf Webscript Status 500 one.

2018-04-12 10:09:22 GMT <AFaust> mbui: You would have to put it in the webapp WEB-INF/classes/webscripts path - it is not covered (AFAIK) by the extension path mechanism

2018-04-12 10:21:41 GMT *** angelborroy_ is now known as angelborroy

2018-04-12 11:12:48 GMT <mbui> AFaust: It seems as the status page I need to override is in spring-surf-1.2.0-SNAPSHOT under webapps/share/WEB-INF/lib (V4.2.8). How do one proceed to do this?

2018-04-12 11:13:59 GMT <AFaust> As I said - override it via WEB-INF/classes/<pathInJar>

2018-04-12 11:14:15 GMT <mbui> Got it, thanks

2018-04-12 12:48:37 GMT <Guest12097> AFaust: QQ to double-check something : When a value is being recorded in auditing, the attribute service would check doubles and make sure to de-duplicate upon strings + primitive/boxed types but not for Serializable objects ?

2018-04-12 12:49:05 GMT <Guest12097> Serializable objects are never de-duplicated and would cause DB size to explose

2018-04-12 13:33:59 GMT <AFaust> Guest12097: Correct

2018-04-12 13:34:42 GMT <AFaust> There is no way to query for an entry by doing an equivalence check on an arbitrary BLOB

2018-04-12 13:35:57 GMT <AFaust> Alfresco would have to store Serializable objects as (Base64) encoded strings in order to support this, and then again, it would quickly run into the DB-specific String-length-limit issue for larger values

2018-04-12 13:37:01 GMT <AFaust> ^^ I mean the binary data would need to be encoded as string to support DB entry lookup by equivalence, and by extension de-duplication

2018-04-12 13:37:02 GMT <Guest12097> AFaust: thanks for confirming my doubts

2018-04-12 13:37:29 GMT <AFaust> Probably a CRC on the BLOB might be a better alternative for lookup + deduplication

2018-04-12 13:38:00 GMT * AFaust is considering a BetterPropertyDAOImpl now that he considered the CRC option...

2018-04-12 13:38:11 GMT <Guest12097> hehe

2018-04-12 13:38:27 GMT <Guest12097> one extra item on your endless todo list <grin>

2018-04-12 13:38:36 GMT <AFaust> <sigh> yeah

2018-04-12 13:38:36 GMT <angelborroy> AFaust how about “Enhanced*”?

2018-04-12 13:38:52 GMT <angelborroy> AFaust are you abandoning best practices? :D

2018-04-12 13:38:57 GMT * Guest12097 wonders how many items are there by now ...

2018-04-12 13:39:32 GMT <AFaust> I did use "Enhanced" in the past, and still use it for completely overhauled alternative services / components from time to time

2018-04-12 13:39:46 GMT <Guest12097> angelborroy: he doesn't miss an occasion to tease alfresco engineer... hence Better Vs Enhanced

2018-04-12 13:39:52 GMT <AFaust> But if the improvement is minor / limited to one aspect, it often is just "Better"...

2018-04-12 13:40:08 GMT <Guest12097> alright, so that's it

2018-04-12 13:40:40 GMT <angelborroy> btw why not a hash instead of the CRC?

2018-04-12 13:41:07 GMT <angelborroy> I didn’t know that CRC could be used to detect duplicates

2018-04-12 13:41:12 GMT <AFaust> Well - hash / CRC - the concept is the same...

2018-04-12 13:41:20 GMT <angelborroy> wow!!!!

2018-04-12 13:41:24 GMT <angelborroy> I catch you!

2018-04-12 13:41:29 GMT <angelborroy> First time ever!

2018-04-12 13:41:44 GMT <angelborroy> Probably you are tired, AFaust, go to have some rest…

2018-04-12 13:41:49 GMT <AFaust> I mean - lookup by a shortened value representing the object

2018-04-12 13:41:56 GMT <angelborroy> yep, yep

2018-04-12 13:42:02 GMT <angelborroy> try to justify yourself :-P

2018-04-12 13:43:37 GMT <AFaust> If you insist...

2018-04-12 13:43:55 GMT <angelborroy> you cannot cheat me: CRC is not the same as HASH

2018-04-12 13:45:16 GMT <AFaust> Alfresco already uses CRC (not hash) in alf_child_assoc for checking against child name duplicates

2018-04-12 13:45:36 GMT <angelborroy> Interesting

2018-04-12 13:45:50 GMT <AFaust> So I was just referring to a concept already used in Alfresco for easier understanding by other people familiar with Alfresco DB

2018-04-12 13:46:12 GMT <angelborroy> AFaust I’m just joking, you know me

2018-04-12 13:46:32 GMT <AFaust> Who said I wasn't joking as well...

2018-04-12 13:47:56 GMT <AFaust> CRC has the benefit of being much more cost effective on the DB than a proper hash

2018-04-12 13:48:31 GMT <angelborroy> that’s true

2018-04-12 13:48:55 GMT <AFaust> instead of a 64 byte string (SHA-256) you'd only have an 8-byte value. Final equality check could / should still be done in Java after lookup

2018-04-12 13:49:27 GMT <AFaust> Sorry, meant to say SHA-512 not 256

2018-04-12 13:49:52 GMT <angelborroy> In fact, the right algorithm is SHA-2

2018-04-12 13:50:00 GMT <angelborroy> And you can use 256, 384, 512… bytes

2018-04-12 13:50:18 GMT <angelborroy> :)

2018-04-12 13:50:48 GMT <AFaust> I still prefer to explicitly specify the number of bytes to be used

2018-04-12 13:51:05 GMT <angelborroy> Ok, so SHA-2 512 bytes then

2018-04-12 13:51:19 GMT <AFaust> Correct

2018-04-12 13:51:36 GMT <AFaust> Though I am just now looking if some library already implements SHA-3-512 in Java

2018-04-12 13:52:03 GMT <angelborroy> bouncy castle does not implement it?

2018-04-12 13:52:15 GMT <AFaust> Ahh - Java 9 has it via JEP 287

2018-04-12 13:52:26 GMT <AFaust> http://openjdk.java.net/jeps/287

2018-04-12 13:52:27 GMT <alfbot> Title: JEP 287: SHA-3 Hash Algorithms (at openjdk.java.net)

2018-04-12 13:52:32 GMT <angelborroy> You can use BouncyCastle

2018-04-12 13:53:12 GMT <AFaust> I prefer not to use BouncyCastle unless really necessary

2018-04-12 13:53:20 GMT <mbui> AFaust: Do you think the "best solution" with error pages (vulnerability with showing stack trace and version numbers etc) that instead of trying to override all error pages in Alfresco instead let your webserver handle a generic error page?

2018-04-12 13:53:40 GMT <AFaust> Not because I have something against BouncyCastle, but because I hate the amount of "dependecy sprawl" already going on

2018-04-12 13:53:44 GMT <angelborroy> AFaust Alfresco is including BouncyCastle 1.46

2018-04-12 13:54:19 GMT <angelborroy> But it looks like BC 1.46 does not implement SHA3

2018-04-12 13:54:52 GMT <angelborroy> probably in the last library upgrading for 201803 EA… let me check

2018-04-12 13:54:55 GMT <AFaust> Alfresco was also including an ANT library for a long time - should I have used that too, because it was included?

2018-04-12 13:55:20 GMT <angelborroy> They are using BC (at least) for encription in EE

2018-04-12 13:55:49 GMT <AFaust> The same with most of the common-XY libraries. I only use them if there is a significant number of features they provide that are useful, but not for just a single "is empty String" check

2018-04-12 13:56:41 GMT <angelborroy> bingo!

2018-04-12 13:56:54 GMT <angelborroy> BC 1.59 is included with 201803-EA

2018-04-12 13:57:50 GMT <AFaust> mbui: If you have a web server fronting your solution, it might be the easiest option for global coverage.

2018-04-12 13:58:10 GMT <AFaust> But there aren't that many error pages to override in the first place...

2018-04-12 13:58:40 GMT <AFaust> And ideally, a solution would be as independent of the infrastructure as possible

2018-04-12 13:58:40 GMT <angelborroy> and if a hacker injects code between your web server and Alfresco you are in the same situation

2018-04-12 13:58:49 GMT <angelborroy> +1

2018-04-12 14:03:12 GMT <mbui> Isn't it possible to configure tomcat to handle generic error pages?

2018-04-12 14:03:26 GMT <mbui> Then I guess that'd be infrastructure independent??

2018-04-12 14:08:35 GMT <AFaust> Right

2018-04-12 14:11:30 GMT <AFaust> I can only find ~4 default status templates that would need to be adapted. One generic, and three specific for HTML, JSON and XML. In addition, there are only 7 web script specific 40x status templates, and one generic Share 404 page template

2018-04-12 14:33:40 GMT <mbui> Navigate to /share/proxy/alfresco/modules/deploy you get response 200, wtf?

2018-04-12 14:34:46 GMT <mbui> (For a non-admin user)

2018-04-12 15:15:36 GMT <Guest12097> -= THIS MESSAGE NOT LOGGED =-

2018-04-12 15:17:43 GMT <Guest12097> Oups, that's confirmed, just checked his linkedin

2018-04-12 15:20:35 GMT <Guest12097> -= THIS MESSAGE NOT LOGGED =-

2018-04-12 16:12:03 GMT <AFaust> Well, I don't give much about sales people. Most of them rarely provide any real value, apart from maybe being decent / good at wrestling a customer into signing a subscription...

2018-04-12 16:12:57 GMT <AFaust> Sure, you need them, but those were the people that in most of my 8 years had more negative than positive impact to begin with, so any change is always a chance to improve things...

2018-04-12 16:16:22 GMT <AFaust> I am quite surprised that - despite all the changes in sales / customer relationship handling over the years - Coralie Fulton (one of the first of my direct contacts) is still at Alfresco

2018-04-12 16:21:35 GMT <AFaust> fcorti_: Hope you and Kristen remember to do an Office Hours to introduce any new people relevant for the community once the dust has settled

2018-04-12 16:27:26 GMT <fcorti_> AFaust I feel like you are not interested in meeting new Sales people, but rather meeting new people in Engineering and/or Product Management Areas.

2018-04-12 16:27:40 GMT <fcorti_> AFaust in brief: yes of course.

2018-04-12 16:27:50 GMT <fcorti_> Any suggestion you have in mind?

2018-04-12 16:28:09 GMT <AFaust> Sure - since Richard and Thomas are now gone, someone's bound to take on their responsibilities

2018-04-12 16:29:15 GMT <AFaust> And who knows who else is setting sail for different shores or coming on board to take over

2018-04-12 16:30:57 GMT <fcorti_> -= THIS MESSAGE NOT LOGGED =-

2018-04-12 16:39:02 GMT <fcorti_> -= THIS MESSAGE NOT LOGGED =-

2018-04-12 17:54:07 GMT <douglascrp> interesting link http://githubstars.com/top-skill/Alfresco

2018-04-12 17:54:09 GMT <alfbot> Title: Top 125 Alfresco Developers | GithubStars (at githubstars.com)

2018-04-12 17:54:12 GMT <douglascrp> I didn't know this one

2018-04-12 18:35:27 GMT <AFaust> douglascrp: Whatever the metric is that they are using...

2018-04-12 18:36:07 GMT <douglascrp> it seems to be based on the first "contribution" and number of repositories

2018-04-12 18:37:32 GMT <douglascrp> AFaust, what I liked about it is that I could find some new repositories I didn't know

2018-04-12 18:37:51 GMT <douglascrp> even people I didn't know working (or that has worked) with alfresco

2018-04-12 23:06:55 GMT <digcat> ~later tell fcorti hey, hope all good your end, a quick question, do you know if there will be a right to be forgotton api call created on the content platform side ?

2018-04-12 23:06:55 GMT <alfbot> digcat: The operation succeeded.

End of Daily Log

The other logs are at http://esplins.org/hash_alfresco