Imprint

Restricted path access in Fabasoft app.ducx Expression LanguagePermanent link for this heading

First published: 27 October 2023 (cf)

SummaryPermanent link for this heading

Starting with Fabasoft Folio 2024, Fabasoft eGov-Suite 2024 (Service Track) and Fabasoft eGov-Suite 2023 September Release (Feature Track) the app.ducx Expression Language’s features SetFile, GetFile and further functions are restricted to Fabasoft Folio’s specific temporary directories by default.

To use these functions outside of Folio’s temp directories, an environment variable with allowed paths needs to be set. Furthermore, this security feature can be disabled.

DetailsPermanent link for this heading

The file system restriction of the app.ducx Expression Language pertains all functions that can read or write to the filesystem, such as SetFile, GetFile, GetFileEx and file constructors.

By default, the following directories are excluded from the restriction:

  • DOCDIR (precise, the path that is set as the DOCDIR environment variable)
  • TEMPDIR (precise, the path that is set as the TEMPDIR environment variable)
  • Furthermore, calls from fsceval, cooload and cooprep are excluded from the restriction.

This implies that any action, bulk job, import, constructor, wrapper et cetera cannot read or write files outside of the mentioned directories.

In case an implementation tries to read or write outside of the allowed paths, an error message and exception will occur:

Internal Error: Writing to *path* is not allowed
Internal Error: Reading from *path* is not allowed
Internal Error: Removing from *path* is not allowed

SolutionPermanent link for this heading

See Definition of Environment Variables to get used with Fabasoft environment variables.

Allow additional pathsPermanent link for this heading

To allow additional paths to read, the environment variable CONTENTRESTRICTPATHRO can be set on the specific kernel instance or server. For the variable, use the PATH formatting of the operating system.

To allow additional paths to write, the environment variable CONTENTRESTRICTPATHRW can be set on the specific kernel instance or server. For the variable, use the PATH formatting of the operating system. Writable paths implicitely are also readable.

Please notice the difference of path separation in Windows (use a “; semicolon) and Linux (use a “: colon)

Examples

Windows

[HKEY_CURRENT_USER\Software\Fabasoft\Environment\CONTENTRESTRICTPATHRW]
@="c:\\temp\\first_path\\;c:\\temp\\second_path\\"

Linux

File content of CONTENTRESTRICTPATHRW:
/tmp:/usr/workdir

Disable the path restrictionPermanent link for this heading

Caution: Disabling the path restriction is a security issue as every user/administrator/developer having access to app.ducx Expressions may access paths on your (web) servers with the Fabasoft Folio Web Service security context.

The environment variable ENABLECONTENTRESTRICTPATH defaults to true if not set.

To completely disable the path restriction, set this environment variable to false.

Download PDF

Download PDF