Bug #3368
security issue with skins
0%
Description
The Perl code uses configuration files to get required settings. These settings are currently being served up by Tomcat, but should instead be accessed through filehandles on disk (e.g. /var/metacat/configuration/configuration.file) in a folder not readable via the web.
Related issues
History
#1 Updated by Jing Tao about 14 years ago
Short solution for 1.8.1 release:
in registry_installtion.html, a paragraph was added to change the owner and access permission of those files. 1.9 release will come up a better solution. So move it to 1.9 release.
#2 Updated by Michael Daigle over 12 years ago
We changed the configuration files to be <skin-name>.cfg and restricted access to all cfg files via web.xml
#4 Updated by Michael Daigle over 12 years ago
Correction, we are using <skin-name>.properties files which is also protected in web.xml.
Removing all .cfg files and the protection in web.xml for them since they are no longer used.
#5 Updated by Redmine Admin over 9 years ago
Original Bugzilla ID was 3368