Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-5621

CLONE - PageMVCServlet should be using AggregationState or normalize URLs and be stricter when looking up which page to serve

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.4.13, 4.5.16
    • Component/s: None
    • Labels:
    • Release notes required:
      Yes
    • Magnolia Release:
      4.4.13, 4.5.16

      Description

      Default roles have denies such as /.magnolia/pages/configuration*.
      However, with the current implementation of info.magnolia.module.admininterface.PageMVCServlet, any user who has access to /.magnolia (but not this specific page, as is the case for the eric sample user), security can be bypassed by simply requesting /.magnolia/pages/FOO/BAR/configuration.html

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mdivilek Milan Divilek
              Reporter:
              gjoseph Magnolia International
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: