Content Management with WebDAV and OpenOffice

Doing the obvious may be hard

The Obvious

Given WebDAV and knowing that OpenOffice as most modern text processors can produce acceptable HTML it looks like a reasonable idea to use the combination to let users edit website content. A short test shows that OpenOffice can open a WebDAV enabled HTTP URL and write back the content to the server when pressing “Save”. Further tests show, that OpenOffice can do digest authentication. So the next obvious thing is a link that throws up OpenOffice for editing. Wow, there is even a mime type for opening OpenOffice on HTML content. Then things get difficult.

The Hard

When a link as above is clicked, firefox – I did no research on other browsers – downloads the link target to a temporary file and opens the file using OpenOffice. This means that it is impossible to save the file to the WebDAV URL since OpenOffice has no knowledge of it. And there is no way to get firefox to pass the WebDAV URL to OpenOffice.

Then I took a step back and looked at what others did. Winamp and other streaming clients used playlists. Are there any office document lists … no. Can I get an HTML document to open an HTML document? Yeah, actually I can, there is the META HTTP-EQUIV redirect. Bingo! OpenOffice does follow meta redirects.

So a tiny HTML snippet with a

<META HTTP-EQUIV="REFRESH" CONTENT="0; URL=<!--#echo var="SCRIPT_URI" -->">

in its head and a rewrite rule like

RewriteEngine On

# This does a meta redirect to the original file.
# This is the way to pass the webdav url to open office.
# There must be a query string with edit=yes in the link
RewriteCond %{QUERY_STRING}     edit=yes
RewriteCond %{SCRIPT_FILENAME}  !_meta_redir\.shtml
RewriteRule ^.*\.shtml$         /cindy/test/site/_meta_redir.shtml
 
<Files _meta_redir.shtml>
ForceType  application/vnd.oasis.opendocument.text-web
</Files>

IndexIgnore _meta_redir.shtml

should do. They nearly do.

Unfortunately no current browser uses read only temporary files. Firefox did, but stopped doing it. I am not sure if this was really intentional since bug 439938 has not been closed. Both, LibreOffice and OpenOffice do however only follow meta redirects if the file is read only. I did write a bug report before I fully understood what is happening. It has correctly been marked as "not a bug", since the current behavior is best possible. So (and this really sucks) a small shell script

#!/bin/sh
# Make the opened file ro

chmod a-w $1
libreoffice $1

comes to the rescue. This has to be configured as a helper application for the vnd.oasis.opendocument.text-web mime type.

Another thing is that SCRIPT_URI only works if there is a RewriteEngine On in the virtual host container. After figuring out that little detail I was finally able to click on a link that – Voila! - opened OpenOffice. After editing the file – given a working WebDAV - pressing save wrote back the changes to the web server.

The Risk

Apaches approach to prevent “write and execute” attacks is to disallow writing. With WebDAV this is pointless. You may consider authenticated users more trustworthy, but being sure is better. Unfortunately disallowing executing is harder than disallowing writing. The latter can be achieved using OS file system permissions. To disallow executing, you must disallow all ways apache could execute a file. The most important thing is that you MUST use Options IncludesNOEXEC to enable SSI. The things I have found so far are

<Directory /var/www/test/cindy/test/site >
# Basic settings
Options +Indexes +MultiViews
# The usual means against an "write and execute" attack
# is to forbid writing. Since this is pointless
# when configuring webdav we are very careful to 
# disallow executing.
Options -Includes -ExecCGI
# SSI is needed
Options +IncludesNOEXEC
# Very little Configuration is done in .htaccess
AllowOverride Indexes
# Remove all handlers. Note that with AllowOverride FileInfo 
# handlers can be added in .htaccess.
SetHandler None

# Access 
Order allow,deny
allow from all

# Authentication
AuthType Digest
AuthName "webdav"
AuthUserFile  /home/jo/www/digest-password
# Reading is allowed without authentication
<LimitExcept GET HEAD OPTIONS PROPFIND>
Require valid-user
</LimitExcept>

# WebDAV settings
DAV On

</Directory>

For your convenience I kept the WebDAV configuration. This is rather straightforward and in more detail described here.

Why?

I am just wondering why this is hard. This is the start of what the sharepoint guys call office integration.