Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-5292

Make Magnolia respond to only registered extensions

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Major
    • 5.3.11, 5.4.2
    • 3.0 Final
    • core
    • Sprint 7 (Kromeriz)
    • 3

    Description

      The content can be accessed with any extension e.g.
      http://localhost:8080/magnoliaAuthor/demo-project.zzzzzzzzzzz
      or
      http://localhost:8080/magnoliaAuthor/demo-project.htmlasdfsd

      Due to this fact the security scans can see source code disclosure vulnerability in images or other resources.

      Out of the box Magnolia installation should instead check extensions against those registered under config:/server/MIMEMappings and allow only no extension or registered extensions to be used.

      To allow for backward compatibility, this behaviour should be configurable.

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                efochr Evzen Fochr
                jsimak Jaroslav Simak
                Votes:
                1 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Task DoD

                    Time Tracking

                      Estimated:
                      Original Estimate - Not Specified
                      Not Specified
                      Remaining:
                      Remaining Estimate - 0d
                      0d
                      Logged:
                      Time Spent - 4.5h
                      4.5h