Content Management with WebDAV and OpenOffice
Doing the obvious may be hard
The Obvious
Given WebDAV and knowing that OpenOffice as most modern text processors can produce acceptable HTML it looks like a reasonable idea to use the combination to let users edit website content. A short test shows that OpenOffice can open a WebDAV enabled HTTP URL and write back the content to the server when pressing “Save”. Further tests show, that OpenOffice can do digest authentication. So the next obvious thing is a link that throws up OpenOffice for editing. Wow, there is even a mime type for opening OpenOffice on HTML content. Then things get difficult.
The Hard
When a link as above is clicked, firefox – I did no research on other browsers – downloads the link target to a temporary file and opens the file using OpenOffice. This means that it is impossible to save the file to the WebDAV URL since OpenOffice has no knowledge of it. And there is no way to get firefox to pass the WebDAV URL to OpenOffice.
Then I took a step back and looked at what others did. Winamp and other streaming clients used playlists. Are there any office document lists … no. Can I get an HTML document to open an HTML document? Yeah, actually I can, there is the META HTTP-EQUIV redirect. Bingo! OpenOffice does follow meta redirects.
So a tiny HTML snippet with a
<META HTTP-EQUIV="REFRESH" CONTENT="0; URL=<!--#echo var="SCRIPT_URI" -->">
in its head and a rewrite rule like
RewriteEngine On # This does a meta redirect to the original file. # This is the way to pass the webdav url to open office. # There must be a query string with edit=yes in the link RewriteCond %{QUERY_STRING} edit=yes RewriteCond %{SCRIPT_FILENAME} !_meta_redir\.shtml RewriteRule ^.*\.shtml$ /cindy/test/site/_meta_redir.shtml <Files _meta_redir.shtml> ForceType application/vnd.oasis.opendocument.text-web </Files> IndexIgnore _meta_redir.shtml
should do. They nearly do.
Unfortunately browsers do not necessarily use read only temporary files. Firefox does, but but it did stop doing it for some time. Both, LibreOffice and OpenOffice do however only follow meta redirects if the file is read only. I did write a bug report before I fully understood what is happening. It has correctly been marked as "not a bug", since the current behavior is best possible. So in case your browser does not use read only temporary files a small shell script
#!/bin/sh # Make the opened file ro chmod a-w $1 libreoffice $1
comes to the rescue. This has to be configured as a helper application for the vnd.oasis.opendocument.text-web mime type.
Another thing is that SCRIPT_URI only works if there is a RewriteEngine On in the virtual host container. After figuring out that little detail I was finally able to click on a link that – Voila! - opened OpenOffice. After editing the file – given a working WebDAV - pressing save wrote back the changes to the web server.
The Risk
Apaches approach to prevent “write and execute” attacks is to disallow writing. With WebDAV this is pointless. You may consider authenticated users more trustworthy, but being sure is better. Unfortunately disallowing executing is harder than disallowing writing. The latter can be achieved using OS file system permissions. To disallow executing, you must disallow all ways apache could execute a file. The most important thing is that you MUST use Options IncludesNOEXEC to enable SSI. The things I have found so far are
<Directory /var/www/test/cindy/test/site > # Basic settings Options +Indexes +MultiViews # The usual means against an "write and execute" attack # is to forbid writing. Since this is pointless # when configuring webdav we are very careful to # disallow executing. Options -Includes -ExecCGI # SSI is needed Options +IncludesNOEXEC # Very little Configuration is done in .htaccess AllowOverride Indexes # Remove all handlers. Note that with AllowOverride FileInfo # handlers can be added in .htaccess. SetHandler None # Access Order allow,deny allow from all # Authentication AuthType Digest AuthName "webdav" AuthUserFile /home/jo/www/digest-password # Reading is allowed without authentication <LimitExcept GET HEAD OPTIONS PROPFIND> Require valid-user </LimitExcept> # WebDAV settings DAV On </Directory>
For your convenience I kept the WebDAV configuration. This is rather straightforward and in more detail described here.
Why?
I am just wondering why this is hard. This is the start of what the sharepoint guys call office integration.