-
Bug
-
Resolution: Fixed
-
Critical
-
2.4.6
-
None
-
None
-
LFRZ
-
-
Empty show more show less
-
Yes
-
Yes
-
Basel 62
-
8
Yet another problem with the new resources module, unfortunately:
The new resources module exposes anything on the classpath that can be referenced by path.
In this way it is possible to retrieve things like:
https://demo.magnolia-cms.com/.resources/freemarker/version.properties
https://demo.magnolia-cms.com/.resources/NOTICE.txt
https://demo.magnolia-cms.com/.resources/logging.properties
https://demo.magnolia-cms.com/.resources/ErrorProcess.bpmn2
https://demo.magnolia-cms.com/.resources/PropertyNames.txt
https://demo.magnolia-cms.com/.resources/log4j.xml
https://demo.magnolia-cms.com/.resources/org/apache/catalina/startup/catalina.properties
etc, etc...
Compare this to earlier versions, where the ClasspathSpool servlet only accessed stuff stored within "mgnl-resources" directories.
This is a serious information disclosure security problem. Theoretically the classpath can contain passwords, secret configuration infos, etc...
It seems to me that the new resources layer was designed without much regard to security. The JCR resources are also all loaded via system session.
From our point of view, the following changes are needed:
1) change it from "serve everything" to a white-listing model, so that only specifically defined resources get served. Include definitions for common resource types like CSS, JS, Fonts and Images.
2) consider disabling the classpath resource access entirely, or base it on a subfolder concept like it used to be. If you leave it, configuration should disable access by default except where specifically allowed.
3) add the JCR permission layer back in for JCR resources. It does not make sense that you set permissions for resources workspace in JCR, which then get ignored when resources are accessed.
Since we needed to solve this urgently in our production environment, I have created a patch for the resources module, which I will attach. The patch addresses both this issue (whitelisting) and the issue of processed resources. Please take a look at it and consider this type of approach to solve the many problems of the resources module.
Thank you!
- is related to
-
MGNLRES-281 FTL and YAML files are exposed over the /resources URI2RepositoryMapping
- Closed