First published: 27 October 2023 (cf)
Starting with Fabasoft Folio 2024, Fabasoft eGov-Suite 2024 (Service Track) and Fabasoft eGov-Suite 2023 September Release (Feature Track) the app.ducx Expression Language’s features SetFile, GetFile and further functions are restricted to Fabasoft Folio’s specific temporary directories by default.
To use these functions outside of Folio’s temp directories, an environment variable with allowed paths needs to be set. Furthermore, this security feature can be disabled.
The file system restriction of the app.ducx Expression Language pertains all functions that can read or write to the filesystem, such as SetFile, GetFile, GetFileEx and file constructors.
By default, the following directories are excluded from the restriction:
This implies that any action, bulk job, import, constructor, wrapper et cetera cannot read or write files outside of the mentioned directories.
In case an implementation tries to read or write outside of the allowed paths, an error message and exception will occur:
Internal Error: Writing to *path* is not allowed
Internal Error: Reading from *path* is not allowed
Internal Error: Removing from *path* is not allowed
To allow additional paths to read, the environment variable CONTENTRESTRICTPATHRO can be set on the specific kernel instance or server. For the variable, use the PATH formatting of the operating system.
To allow additional paths to write, the environment variable CONTENTRESTRICTPATHRW can be set on the specific kernel instance or server. For the variable, use the PATH formatting of the operating system. Writable paths implicitely are also readable.
Please notice the difference of path separation in Windows (use a “;” semicolon) and Linux (use a “:” colon)
File content of CONTENTRESTRICTPATHRW:
Caution: Disabling the path restriction is a security issue as every user/administrator/developer having access to app.ducx Expressions may access paths on your (web) servers with the Fabasoft Folio Web Service security context.
The environment variable ENABLECONTENTRESTRICTPATH defaults to true if not set.
To completely disable the path restriction, set this environment variable to false.