Details
-
Bug
-
Resolution: Won't Do
-
Neutral
-
None
-
1.4.5
-
None
-
None
-
Mac OS Lion, Magnolia Community 4.4.5, Tomcat Bundle
-
-
Empty show more show less
Description
On the default Magnolia Community 4.4.5 with the STK JARs installed when I retrieve this paragraph using the URL:
http://localhost:8080/magnoliaPublic/demo-project/news-and-events/main/0
I see in the logs:
java.lang.ClassCastException: info.magnolia.module.templatingkit.paragraphs.EventsListModel cannot be cast to info.magnolia.module.templatingkit.templates.STKTemplateModel
I am not sure if this is a bug in the STK but it seems so?
If so, this can be quite harmfull for existing Magnolia (STK) sites I think. It should be fairly easy to think of a DoD attack using such paragraph URLs. The log file will flood in no time I think.
On a side note: I wonder if it is a good idea to 'enable' these paragraph URLs by default? It is not wise to disable this feature by default and let people explicitly enable it? Because this bug shows it can be quite risky?
I have attached the log file.