Daily Log for #alfresco IRC Channel

Alfresco discussion and collaboration. Stick around a few hours after asking a question.

Official support for Enterprise subscribers: support.alfresco.com.

Joining the Channel:

Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.

More information about the channel is in the wiki.

Getting Help

More help is available in this list of resources.

Daily Log for #alfresco

2018-04-23 07:02:34 GMT <DarkStar1> Morning everyone

2018-04-23 07:03:20 GMT <yreg> Morning channel

2018-04-23 07:17:01 GMT <DarkStar1> yreg: Good morning dude. How is Bruxelles?

2018-04-23 07:18:13 GMT <yreg> DarkStar1, warm and cosy :D

2018-04-23 07:18:33 GMT <DarkStar1> Good to hear.

2018-04-23 07:19:22 GMT <qwebirc62523> Hi everyone

2018-04-23 07:19:38 GMT <DarkStar1> Hello qwebirc62523

2018-04-23 07:20:48 GMT <qwebirc62523> How to retrive parent node reference in share documentlibrary client side (The way upload file sets destination parameter) ?

2018-04-23 07:22:52 GMT <qwebirc62523> I can get the parent nodereference like this https://pastebin.com/KSphDRWL

2018-04-23 07:22:53 GMT <alfbot> Title: socialRegisterRenderer: function(record) { var jsNode = record.jsNode; A - Pastebin.com (at pastebin.com)

2018-04-23 07:23:23 GMT <qwebirc62523> but the problem is when there are no files in particular folder the socialRegisterRenderer event will not get called

2018-04-23 07:23:45 GMT <qwebirc62523> any idea how I can get the parent node reference ?

2018-04-23 07:29:13 GMT <AFaust> qwebirc62523: Setting a property in the prototype is absolutely the wrong thing to do. Changes there will not be reflected in the actual DocumentList instance once it has a value of its own assigned.

2018-04-23 07:29:46 GMT <AFaust> The DocumentList also inherently sets its own proper context whenever the user navigates up/down/into the folder hierarchy - no need to do any custom setting

2018-04-23 07:30:19 GMT <AFaust> Of course the socialRegisterRenderer will not be called if there are no files in the folder, because then there is nothing to render...

2018-04-23 07:30:50 GMT <AFaust> It is unclear to me what you are trying to do and - more specifically - WHY...

2018-04-23 07:51:42 GMT <qwebirc62523> I want to do a custom file upload using resumable js (for large files)

2018-04-23 07:52:16 GMT <qwebirc62523> I have written backend api for it and All thats left is get the parent node reference and pass it along with the webscript

2018-04-23 07:52:55 GMT <qwebirc62523> I have searched a while and I can not get the specific piece of code for retrieving parent node reference

2018-04-23 07:53:18 GMT <qwebirc62523> The way they did it here https://github.com/Alfresco/share/blob/develop/share/src/main/webapp/components/documentlibrary/repo-toolbar.js#L85

2018-04-23 07:53:19 GMT <alfbot> Title: share/repo-toolbar.js at develop · Alfresco/share · GitHub (at github.com)

2018-04-23 08:11:30 GMT <AFaust> qwebirc62523: That would be the way to go... Of course if you are not adding an extension to the toolbar, and instead to the documentlist itself, the access looks a slightly bit different: https://github.com/Alfresco/share/blob/develop/share/src/main/webapp/components/documentlibrary/documentlist.js#L336

2018-04-23 08:11:31 GMT <alfbot> Title: share/documentlist.js at develop · Alfresco/share · GitHub (at github.com)

2018-04-23 08:32:02 GMT <qwebirc62523> Thanks AFaust I'll try it :)

2018-04-23 08:40:32 GMT <bhagyasilva> testing irssi

2018-04-23 08:40:36 GMT <bhagyasilva> :D

2018-04-23 08:41:15 GMT <bhagyasilva> exit

2018-04-23 08:44:00 GMT <qwebirc62523> I get error saying Uncaught TypeError: Cannot read property 'doclistMetadata' of undefined

2018-04-23 09:12:53 GMT <fwu> hello all

2018-04-23 09:14:12 GMT <fwu> ppl, in a standard alfresco community installation, what are the endpoint to get workflow data from an external application? Should I use the same webscripts share is using?

2018-04-23 12:39:30 GMT <qwebirc76341> @AFaust doclistMetadata worked !!, I was trying to read the property parent.nodeRef inside Ready function

2018-04-23 12:45:42 GMT <Loftux> Have someone tested Microsoft Azure for Authentication? https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-get-started Either header-baser (alfresco external) or with Kerberos?

2018-04-23 12:45:43 GMT <alfbot> Title: How to provide secure remote access to on-premises apps | Microsoft Docs (at docs.microsoft.com)

2018-04-23 12:54:43 GMT <AFaust> Loftux: I used the Azure AD for a customer PoC last year using regular LDAP-AD

2018-04-23 12:54:56 GMT <AFaust> And one of my customers is using the Azure SSO proxy

2018-04-23 12:55:10 GMT <AFaust> using Kerberos at the moment

2018-04-23 12:56:32 GMT <AFaust> One problem with the Azure Kerberos at the moment is that we could not forward the ticket from Share to Repository. Something is off in the ticket and neither documentation nor the internal consultant in charge of rolling out Azure was competent enough to find a setting that may affect this.

2018-04-23 12:56:50 GMT <AFaust> So I had to build a custom Share Kerberos SSO filter to deal with this.

2018-04-23 12:57:22 GMT <Loftux> AFaust: Thanks, what they want to achieve is the more secure login for a Share instance that is on the public web.

2018-04-23 12:57:32 GMT <AFaust> Essentially, if Share fails to forward the ticket to Repository we fall back to (internally) using external authentication between Share and Repository (extract user name from ticket and pass it along)

2018-04-23 12:57:44 GMT <Loftux> Ok, maybe the heade-based might be esier

2018-04-23 12:58:18 GMT <Loftux> even for Share, looks like Azure supports that

2018-04-23 12:59:20 GMT <Loftux> Or I'll use your idea of extracting the username from ticket.

2018-04-23 13:00:29 GMT <Loftux> Problem with to much customization here, customer wants high security at almost no cost… Oh well, security always comes at no cost ;)

2018-04-23 13:01:11 GMT <AFaust> Requires three custom classes in total: adapted copy of SSOAuthenticationFilter, custom PrivilegedAction and a custom remote connector to handle the HTTP header...

2018-04-23 13:02:43 GMT <AFaust> Of course if Alfresco wouldn't have this annoying habit of making everything "private" in Java, one could just extend the default filter. But nooooooo....

2018-04-23 14:44:25 GMT <hi-ko> AFaust, Loftux: Maybe this is related to higher enctypes: aes256-cts-hmac-sha1-96 ?

2018-04-23 14:45:19 GMT <AFaust> hi-ko: Problem wasn't with enctypes - ticket could be decoded properly but KDC refused to issue forward ticket

2018-04-23 14:45:48 GMT <AFaust> some combination of setting in the ticket + requested option (no feedback in error as to which)

2018-04-23 14:45:59 GMT <hi-ko> If I remember right azure kerberos doesn't allow rc4-hmac for forwards

2018-04-23 14:47:11 GMT <AFaust> Well - using the Azure SSO proxy, the Kerberos ticket is actually supposed to always be granted / handled by the internal KDC, so no Azure specifics should be involved.

2018-04-23 14:47:20 GMT <AFaust> ...apart from that proxy

2018-04-23 14:47:53 GMT <AFaust> But if you have links to any documentation on that it would be good to know regardless...

2018-04-23 14:48:24 GMT <hi-ko> another question from the sso area: has somebody experience with enterprise saml implementation?

2018-04-23 14:48:37 GMT <AFaust> I had been searching to no end in order to get some idea what may be wrong before having to give up and do the simple (workaround) solution

2018-04-23 14:49:03 GMT <AFaust> I had used Enterprise SAML at a customer early last year - right around the switch from EA to GA

2018-04-23 14:49:38 GMT <hi-ko> AFaust: does this work with cifs auth at the same time since it replaces the auth stack?

2018-04-23 14:49:41 GMT <AFaust> Ended up not using it after all, since the customer requirements at the customer were interpreted incorrectly by the project lead, and we could continue using plain old Kerberos

2018-04-23 14:49:54 GMT <AFaust> Hehe - of course not.

2018-04-23 14:50:13 GMT <hi-ko> AFaust: damn - no go ...

2018-04-23 14:50:16 GMT <AFaust> I mean, for the CIFS / FTP thingy, the old authentication chain will be used as always

2018-04-23 14:50:33 GMT <AFaust> SAML simply can't cope with that.

2018-04-23 14:50:55 GMT <AFaust> It's just for the web-based SSO part where authentication chain will be essentially "replaced" (or "worked around")

2018-04-23 14:50:57 GMT <hi-ko> so auth stack is being replaced for web stack only?

2018-04-23 14:51:00 GMT <yreg> hi-ko, I am integrating Enterprise SAML now into two projects

2018-04-23 14:51:42 GMT <AFaust> Since it is just an "addon" module, it cannot fully replace the auth stack - it can only override in a way that the auth stack is not used for certain features

2018-04-23 14:52:20 GMT <yreg> hi-ko, even for web you have the option not to enforce saml

2018-04-23 14:52:29 GMT <hi-ko> AFaust, sounds like trial, error and research ...

2018-04-23 14:52:56 GMT <yreg> Which would make it possible for users to use for instance ntlm alfresco or click on a link to be redirected to the IdP for SAML auth

2018-04-23 14:56:37 GMT <mbui> I have some custom forms where reflected XSS can be performed. I.e. if I take the GET request of the "edit form" and add i2y8p"><script>alert(document.cookie)</script>rlsd8 to the end of the URL the script is then run (firefox 58, chrome handles this). Any ideas on how to prevent this?

2018-04-23 15:00:01 GMT <AFaust> mbui: Can you provide the full crafted URL?

2018-04-23 15:00:47 GMT <AFaust> I am curious because earlier this year I commented on a "potential XSS vector" report where similar snippets where used on form URLs and in all cases they were false positives

2018-04-23 15:01:31 GMT <mbui> AFaust: http://localhost:8081/share/service/components/form?itemKind=node&itemId=workspace://SpacesStore/1a4e916f-96f6-43f0-8da7-58ce4fe0af48&mode=edit&submitType=json&site=civil-1&showCancelButton=true&formId=[object%20HTMLDivElement]&htmlid=template_x002e_datagrid_x002e_data-lists_x0023_default-editDetailsi2y8p%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Erlsd8

2018-04-23 15:02:09 GMT <mbui> That's not it, firefox seems to encode when I copy.

2018-04-23 15:02:39 GMT <AFaust> I was also wondering about the [object%20HTMLDivElement] in there...

2018-04-23 15:02:42 GMT <mbui> http://localhost:8081/share/service/components/form?itemKind=node&itemId=workspace://SpacesStore/1a4e916f-96f6-43f0-8da7-58ce4fe0af48&mode=edit&submitType=json&site=civil-1&showCancelButton=true&formId=[object HTMLDivElement]&htmlid=template_x002e_datagrid_x002e_data-lists_x0023_default-editDetailsi2y8p"><script>alert(document.cookie)</script>rlsd8

2018-04-23 15:03:39 GMT <AFaust> Looks like the result of some custom piece of code that did not construct the URL correctly

2018-04-23 15:05:31 GMT <AFaust> As far as I can see, the htmlid parameter is properly HTML encoded in form.lib.ftl and form.get.html.ftl

2018-04-23 15:05:55 GMT <AFaust> in form.get.html.ftl even once too many / incorrectly

2018-04-23 15:06:29 GMT <AFaust> Is there some custom form component that has been configured which may have an FTL without proper encoding?

2018-04-23 15:08:00 GMT <mbui> I think you're right, there's custom code that creates these forms.

2018-04-23 15:08:00 GMT <mbui> https://gist.githubusercontent.com/buimichael/1635eeef34d84cd39df59227bcf143d5/raw/e3217bf1d696ba9814da748788d2ddfc42e59c92/gistfile1.txt

2018-04-23 15:08:29 GMT <AFaust> Tested the URL on my 5.0d system - XSS not successful

2018-04-23 15:09:29 GMT <AFaust> Test on my 5.2 currently not possible as this would have port conflicts with the one I currently run for my customer project of the day

2018-04-23 15:10:02 GMT <mbui> I tested it on 4.2.2 where XSS was successful on OOTB forms. Also tested on 4.2.5.1 and 4.2.8 where it was not successful. But you are correct, there's custom code that doesn't properly sanitize URL.

2018-04-23 15:13:23 GMT <mbui> AFaust: Regarding overriding OOTB status templates. I attempted to have both nginx and tomcat handle them on a general level, however it seemed because there are "specific" error templates under specific APIs (like /api/service/) they take precedence. So I had to override those in addition to creating tomcat/nginx specific error pages.

2018-04-23 15:13:34 GMT <AFaust> Ah - so you have an even older Alfresco. I do believe there were various XSS fixes in the 5.x release

2018-04-23 15:20:40 GMT <mbui> How do you guys handle the supported platforms that Alfresco is recommending? Tomcat version in particular. I.e. 5.2.x recommends 7.0.82, however Ubuntu 16.04 source package uses 7.0.68. Our sysadmins insists on using the version that the OS provides for easier updating of bugs/vulnerabilities.

2018-04-23 15:55:17 GMT <AFaust> mbui: Typically also the OS-provided version if within the supported range. Listing on Supported Platforms only means that Alfresco tests that combination - doesn't mean there is anything wrong with a lower version. And indeed they only recently retroactively changed that for 5.2 if I am informed correctly. A customer checked a few months ago and then 5.2 specified a different Tomcat version

2018-04-23 15:58:53 GMT <mbui> Ah, found the culprit of the reflected XSS: https://github.com/Ashex/fme-alfresco-extdl/blob/master/fme-alfresco-extdl-share/src/main/resources/alfresco/web-extension/site-webscripts/org/alfresco/components/data-lists/forms/dataitem-edit.ftl#L8

2018-04-23 15:58:54 GMT <alfbot> Title: fme-alfresco-extdl/dataitem-edit.ftl at master · Ashex/fme-alfresco-extdl · GitHub (at github.com)

2018-04-23 15:59:23 GMT <mbui> This project is using 5 year old extension :thinking:

2018-04-23 19:21:29 GMT <douglascrp> hello guys

2018-04-23 19:22:11 GMT <douglascrp> you one changes the share query template to include d:text and d:mltext, users start to get results for everything, which is "right"

2018-04-23 19:22:25 GMT <douglascrp> but how about setting types to be excluded from the results using the query template?

2018-04-23 19:22:38 GMT <douglascrp> would it be possible to exclude datalist items for example?

2018-04-23 19:22:53 GMT <douglascrp> I am trying to find any information on the topic, but I could find nothing so far

2018-04-23 21:04:48 GMT <AFaust> douglascrp: Yes, it is possible - you can have static elements in the query template as well, i.e. a NOT ASPECT:"xx:yy" fragment

2018-04-23 21:05:43 GMT <douglascrp> AFaust, so, this %(cm:name cm:title cm:description ia:whatEvent ia:descriptionEvent lnk:title lnk:description TEXT TAG d:text d:mltext)

2018-04-23 21:06:09 GMT <douglascrp> could be %(cm:name cm:title cm:description ia:whatEvent ia:descriptionEvent lnk:title lnk:description TEXT TAG d:text d:mltext AND -TYPE:"dl:dataList" AND -TYPE:"dl:dataListItem")

2018-04-23 21:06:52 GMT <AFaust> No - not that way. Everything inside the %() is handled for dynamic expansion. The static parts need to be outside of it

2018-04-23 21:07:07 GMT <AFaust> Trying to find an example in my vast local collection of projects

2018-04-23 21:07:09 GMT <douglascrp> the way I was dealing with is is by replacing the correspondent search.lib.js file for live and normal simple search, and there I was adding the exclusion in the query

2018-04-23 21:07:22 GMT <douglascrp> AFaust, I tried it, like this

2018-04-23 21:07:33 GMT <douglascrp> %(cm:name cm:title cm:description ia:whatEvent ia:descriptionEvent lnk:title lnk:description TEXT TAG d:text d:mltext) AND -TYPE:"dl:dataList" AND -TYPE:"dl:dataListItem"

2018-04-23 21:07:38 GMT <douglascrp> but it didn't work

2018-04-23 21:07:54 GMT <douglascrp> this is why I am using the js replacement approach

2018-04-23 21:09:31 GMT <douglascrp> maybe I should not include the AND?

2018-04-23 21:09:42 GMT <douglascrp> AFaust, do you have any sample?

2018-04-23 21:10:03 GMT <AFaust> I mean, you can always specify those exclusions as filter queries.... although the default, unpatched Search Script API does not support that...

2018-04-23 21:10:28 GMT <douglascrp> when I tried it with the exclusions outside the (), it gave me no errors, but the unneeded result was present

2018-04-23 21:10:37 GMT <AFaust> I thought I had an example somewhere, but my local search is coming up empty right now. Maybe I have too many of my projects "closed" and not accessible to search

2018-04-23 21:10:47 GMT <douglascrp> ah, as filter queries is what I did, I guess

2018-04-23 21:11:16 GMT <AFaust> Not if you modified the core query. Filter queries are only available via Java SearchParameters API right now

2018-04-23 21:11:41 GMT <douglascrp> the part I touched is this

2018-04-23 21:11:42 GMT <douglascrp> fqs.push('-TYPE:"cm:thumbnail" AND -TYPE:"cm:failedThumbnail" AND -TYPE:"cm:rating" AND -TYPE:"st:site"' +

2018-04-23 21:11:42 GMT <douglascrp> ' AND -ASPECT:"st:siteContainer" AND -ASPECT:"sys:hidden" AND -cm:creator:system AND -QNAME:comment\\-*' +

2018-04-23 21:11:42 GMT <douglascrp> ' AND -TYPE:"dl:dataList" AND -TYPE:"dl:dataListItem"');

2018-04-23 21:11:54 GMT <douglascrp> as you can see, it is just one more line

2018-04-23 21:12:02 GMT <douglascrp> this inside my custom search-lib.js

2018-04-23 21:12:09 GMT <douglascrp> search.lib.js

2018-04-23 21:12:09 GMT <AFaust> But they are the best tool to use, since they are sent separate to SOLR, queried separately and only combined at the end to determine the final result set. This allows SOLR to cache those filter queries, improving future queries where the main query differs but the filter queries are the same

2018-04-23 21:13:34 GMT <AFaust> Oh - apparently Search Script API does support filterQueries now and this is what fqs are...

2018-04-23 21:13:46 GMT <AFaust> Too bad they did not enhance the JavaDoc + documentation

2018-04-23 21:14:40 GMT <douglascrp> if you can, please, give me tips

2018-04-23 21:14:43 GMT <AFaust> Ideally, you would split that large filter query up some more.....

2018-04-23 21:15:05 GMT <douglascrp> I didn't get that

2018-04-23 21:15:11 GMT <AFaust> i.e. based on natural groups, like one fqs to handle thumbnails, one to handle data list etc..

2018-04-23 21:15:52 GMT <AFaust> (potentially better for reuse on the SOLR cache side if some other query may be sharing only part of the filter conditions)

2018-04-23 21:16:18 GMT <AFaust> In short, your fqs.push() approach is already the better option than to modify the template

2018-04-23 21:17:08 GMT <AFaust> I just don't like that it is a large fqs with many different things....

2018-04-23 21:17:17 GMT <AFaust> And I don't like the use of "-" prefix...

2018-04-23 21:18:14 GMT <AFaust> I prefer "NOT" which is easier to read when combined with "=" or "~" prefix

2018-04-23 21:25:04 GMT <douglascrp> AFaust, I have to leave now, but I will be back in 2 hours or less

2018-04-23 21:25:10 GMT <douglascrp> then I will read what you posted

2018-04-23 21:25:15 GMT <douglascrp> thank you

2018-04-23 23:43:57 GMT <douglascrp> ~latter tell AxelFaust that is the shere OOTB code

2018-04-23 23:43:57 GMT <alfbot> douglascrp: Error: "latter" is not a valid command.

2018-04-23 23:44:02 GMT <douglascrp> ~later tell AxelFaust that is the shere OOTB code

2018-04-23 23:44:02 GMT <alfbot> douglascrp: The operation succeeded.

2018-04-23 23:44:09 GMT <douglascrp> ~later tell AFaust that is the shere OOTB code

2018-04-23 23:44:09 GMT <alfbot> douglascrp: The operation succeeded.

2018-04-23 23:44:23 GMT <douglascrp> ~later tell AxelFaust that is the *share OOTB code

2018-04-23 23:44:23 GMT <alfbot> douglascrp: The operation succeeded.

2018-04-23 23:44:28 GMT <douglascrp> ~later tell AFaust that is the share OOTB code

2018-04-23 23:44:28 GMT <alfbot> douglascrp: The operation succeeded.

End of Daily Log

The other logs are at http://esplins.org/hash_alfresco