Project

General

Profile

Bug #1530

cfg is readable by everyone

Added by Saurabh Garg over 16 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
registry
Target version:
Start date:
04/22/2004
Due date:
% Done:

0%

Estimated time:
Bugzilla-Id:
1530

Description

The *.cfg files in skins is reabable by everyone. This is not good as they
might contain information that should not be revealed to public.

Solution: Assign 600 permission to the file with 'apache' as the owner.

Trouble: what is the best way to implement this? This will be specific for KNB
only. So if code is added to build file, it will only be KNB specific. might
not be true for others.

Also another related issue is that this is a skin specific thing. And I was
wondering if we will be packaging all the skins that we have when we
package/ship Metacat. Shouldn't there be just a default skin which can be
copied by everybody else? And all the rest of the skins should be seperate
modules. But that was the case initially. So this issue might already have been
debated upon.


Related issues

Has duplicate Metacat - Bug #3368: security issue with skinsResolved06/05/2008

History

#1 Updated by Michael Daigle over 10 years ago

we added the following to knb web.xml to restrict access to .cfg files

<security-constraint>
<web-resource-collection>
<web-resource-name>CFG</web-resource-name>
<url-pattern>*.cfg</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>

#2 Updated by Michael Daigle over 10 years ago

duplicate

#3 Updated by Redmine Admin over 7 years ago

Original Bugzilla ID was 1530

Also available in: Atom PDF