Uploaded image for project: 'Magnolia Resources Module'
  1. Magnolia Resources Module
  2. MGNLRES-284

Exposed files via new resources module

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 2.4.8, 2.5
    • 2.4.6
    • None
    • None
    • LFRZ
    • Yes
    • Yes
    • Basel 62
    • 8

    Description

      Yet another problem with the new resources module, unfortunately:

      The new resources module exposes anything on the classpath that can be referenced by path.

      In this way it is possible to retrieve things like:

      https://demo.magnolia-cms.com/.resources/freemarker/version.properties
      https://demo.magnolia-cms.com/.resources/NOTICE.txt
      https://demo.magnolia-cms.com/.resources/logging.properties
      https://demo.magnolia-cms.com/.resources/ErrorProcess.bpmn2
      https://demo.magnolia-cms.com/.resources/PropertyNames.txt
      https://demo.magnolia-cms.com/.resources/log4j.xml
      https://demo.magnolia-cms.com/.resources/org/apache/catalina/startup/catalina.properties
      etc, etc...

      Compare this to earlier versions, where the ClasspathSpool servlet only accessed stuff stored within "mgnl-resources" directories.

      This is a serious information disclosure security problem. Theoretically the classpath can contain passwords, secret configuration infos, etc...

      It seems to me that the new resources layer was designed without much regard to security. The JCR resources are also all loaded via system session.

      From our point of view, the following changes are needed:

      1) change it from "serve everything" to a white-listing model, so that only specifically defined resources get served. Include definitions for common resource types like CSS, JS, Fonts and Images.
      2) consider disabling the classpath resource access entirely, or base it on a subfolder concept like it used to be. If you leave it, configuration should disable access by default except where specifically allowed.
      3) add the JCR permission layer back in for JCR resources. It does not make sense that you set permissions for resources workspace in JCR, which then get ignored when resources are accessed.

      Since we needed to solve this urgently in our production environment, I have created a patch for the resources module, which I will attach. The patch addresses both this issue (whitelisting) and the issue of processed resources. Please take a look at it and consider this type of approach to solve the many problems of the resources module.

      Thank you!

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                ilgun Ilgun Ilgun
                runger Richard Unger
                Bence Vass, Marcus Büttner, Matthias Müller, Rihard Monovic
                Nucleus
                Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Bug DoR
                    Task DoD