Project

General

Profile

Actions

Bug #3368

closed

security issue with skins

Added by Shaun Walbridge over 14 years ago. Updated almost 13 years ago.

Status:
Resolved
Priority:
Normal
Category:
registry
Target version:
Start date:
06/05/2008
Due date:
% Done:

0%

Estimated time:
Bugzilla-Id:
3368

Description

The Perl code uses configuration files to get required settings. These settings are currently being served up by Tomcat, but should instead be accessed through filehandles on disk (e.g. /var/metacat/configuration/configuration.file) in a folder not readable via the web.


Related issues

Is duplicate of Metacat - Bug #1530: cfg is readable by everyoneResolvedSaurabh Garg04/22/2004

Actions
Actions #1

Updated by Jing Tao over 14 years ago

Short solution for 1.8.1 release:

in registry_installtion.html, a paragraph was added to change the owner and access permission of those files. 1.9 release will come up a better solution. So move it to 1.9 release.

Actions #2

Updated by Michael Daigle almost 13 years ago

We changed the configuration files to be <skin-name>.cfg and restricted access to all cfg files via web.xml

Actions #4

Updated by Michael Daigle almost 13 years ago

Correction, we are using <skin-name>.properties files which is also protected in web.xml.

Removing all .cfg files and the protection in web.xml for them since they are no longer used.

Actions #5

Updated by Redmine Admin almost 10 years ago

Original Bugzilla ID was 3368

Actions

Also available in: Atom PDF