Project

General

Profile

Bug #3368

security issue with skins

Added by Shaun Walbridge about 12 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Michael Daigle
Category:
registry
Target version:
1.9.2
Start date:
06/05/2008
Due date:
% Done:

0%

Estimated time:
Bugzilla-Id:
3368

Description

The Perl code uses configuration files to get required settings. These settings are currently being served up by Tomcat, but should instead be accessed through filehandles on disk (e.g. /var/metacat/configuration/configuration.file) in a folder not readable via the web.

Related issues

Is duplicate of Metacat - Bug #1530: cfg is readable by everyoneResolved04/22/2004

History

#1 Updated by Jing Tao about 12 years ago

Short solution for 1.8.1 release:

in registry_installtion.html, a paragraph was added to change the owner and access permission of those files. 1.9 release will come up a better solution. So move it to 1.9 release.

#2 Updated by Michael Daigle over 10 years ago

We changed the configuration files to be <skin-name>.cfg and restricted access to all cfg files via web.xml

#4 Updated by Michael Daigle over 10 years ago

Correction, we are using <skin-name>.properties files which is also protected in web.xml.

Removing all .cfg files and the protection in web.xml for them since they are no longer used.

#5 Updated by Redmine Admin over 7 years ago

Original Bugzilla ID was 3368

Also available in: Atom PDF