Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-5292

Make Magnolia respond to only registered extensions

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Major Major
    • 5.3.11, 5.4.2
    • 3.0 Final
    • core
    • Sprint 7 (Kromeriz)
    • 3

      The content can be accessed with any extension e.g.
      http://localhost:8080/magnoliaAuthor/demo-project.zzzzzzzzzzz
      or
      http://localhost:8080/magnoliaAuthor/demo-project.htmlasdfsd

      Due to this fact the security scans can see source code disclosure vulnerability in images or other resources.

      Out of the box Magnolia installation should instead check extensions against those registered under config:/server/MIMEMappings and allow only no extension or registered extensions to be used.

      To allow for backward compatibility, this behaviour should be configurable.

        Acceptance criteria

              efochr Evzen Fochr
              jsimak Jaroslav Simak
              Votes:
              1 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Task DoD

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - 0d
                    0d
                    Logged:
                    Time Spent - 4.5h
                    4.5h