Bug #1530
closedcfg is readable by everyone
0%
Description
The *.cfg files in skins is reabable by everyone. This is not good as they
might contain information that should not be revealed to public.
Solution: Assign 600 permission to the file with 'apache' as the owner.
Trouble: what is the best way to implement this? This will be specific for KNB
only. So if code is added to build file, it will only be KNB specific. might
not be true for others.
Also another related issue is that this is a skin specific thing. And I was
wondering if we will be packaging all the skins that we have when we
package/ship Metacat. Shouldn't there be just a default skin which can be
copied by everybody else? And all the rest of the skins should be seperate
modules. But that was the case initially. So this issue might already have been
debated upon.
Related issues
Updated by Michael Daigle almost 15 years ago
we added the following to knb web.xml to restrict access to .cfg files
<security-constraint>
<web-resource-collection>
<web-resource-name>CFG</web-resource-name>
<url-pattern>*.cfg</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>