[MAGNOLIA-2020] activation: /ActivationHandler should be /.magnolia/activation or similar Created: 24/Jan/08  Updated: 23/Jan/13  Resolved: 24/Jan/08

Status: Closed
Project: Magnolia
Component/s: activation
Affects Version/s: 3.5.3
Fix Version/s: 3.5.4

Type: Improvement Priority: Major
Reporter: Philipp Bärfuss Assignee: Philipp Bärfuss
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
is related to MAGNOLIA-2021 activation: security hole if you acti... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:

 Description   

by default all urls under .magnolia are protected by the anonymous role. So it makes sense to move the activation filter under this path.

Note: this is not a security issue as such as the execution under 3.5 uses normal ACLs for writing or deleting



 Comments   
Comment by Philipp Bracher [ 24/Jan/08 ]

In case you activate a new item it is indeed a security hole.

The MAGNOLIA-2021 fixes that

Comment by Philipp Bracher [ 24/Jan/08 ]

old uri is supported by virtual uri mapping. URI security is working in that case too

Generated at Mon Feb 12 03:32:37 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.