Project

General

Profile

Actions
Copy link

Bug #3368

closed

security issue with skins

Added by Shaun Walbridge over 14 years ago. Updated almost 13 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Michael Daigle
Category:
registry
Target version:
1.9.2
Start date:
06/05/2008
Due date:
% Done:

0%

Estimated time:
Bugzilla-Id:
3368

Description

The Perl code uses configuration files to get required settings. These settings are currently being served up by Tomcat, but should instead be accessed through filehandles on disk (e.g. /var/metacat/configuration/configuration.file) in a folder not readable via the web.

Related issues

Is duplicate of Metacat - Bug #1530: cfg is readable by everyoneResolvedSaurabh Garg04/22/2004

Actions
Actions
Copy link
 #1

Updated by Jing Tao over 14 years ago

Short solution for 1.8.1 release:

in registry_installtion.html, a paragraph was added to change the owner and access permission of those files. 1.9 release will come up a better solution. So move it to 1.9 release.

Actions
Copy link
 #2

Updated by Michael Daigle almost 13 years ago

We changed the configuration files to be <skin-name>.cfg and restricted access to all cfg files via web.xml

Actions
Copy link
 #4

Updated by Michael Daigle almost 13 years ago

Correction, we are using <skin-name>.properties files which is also protected in web.xml.

Removing all .cfg files and the protection in web.xml for them since they are no longer used.

Actions
Copy link
 #5

Updated by Redmine Admin almost 10 years ago

Original Bugzilla ID was 3368

Actions
Copy link

Also available in: Atom PDF