Project

General

Profile

Actions

Bug #1530

closed

cfg is readable by everyone

Added by Saurabh Garg almost 20 years ago. Updated about 14 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
registry
Target version:
Start date:
04/22/2004
Due date:
% Done:

0%

Estimated time:
Bugzilla-Id:
1530

Description

The *.cfg files in skins is reabable by everyone. This is not good as they
might contain information that should not be revealed to public.

Solution: Assign 600 permission to the file with 'apache' as the owner.

Trouble: what is the best way to implement this? This will be specific for KNB
only. So if code is added to build file, it will only be KNB specific. might
not be true for others.

Also another related issue is that this is a skin specific thing. And I was
wondering if we will be packaging all the skins that we have when we
package/ship Metacat. Shouldn't there be just a default skin which can be
copied by everybody else? And all the rest of the skins should be seperate
modules. But that was the case initially. So this issue might already have been
debated upon.


Related issues

Has duplicate Metacat - Bug #3368: security issue with skinsResolvedMichael Daigle06/05/2008

Actions
Actions #1

Updated by Michael Daigle about 14 years ago

we added the following to knb web.xml to restrict access to .cfg files

<security-constraint>
<web-resource-collection>
<web-resource-name>CFG</web-resource-name>
<url-pattern>*.cfg</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>

Actions #2

Updated by Michael Daigle about 14 years ago

duplicate

Actions #3

Updated by Redmine Admin almost 11 years ago

Original Bugzilla ID was 1530

Actions

Also available in: Atom PDF