[MAGNOLIA-2021] activation: security hole if you activate a new item Created: 24/Jan/08  Updated: 23/Jan/13  Resolved: 24/Jan/08

Status: Closed
Project: Magnolia
Component/s: activation
Affects Version/s: 3.5.3
Fix Version/s: 3.5.4

Type: Bug Priority: Blocker
Reporter: Philipp Bärfuss Assignee: Philipp Bärfuss
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
is related to MAGNOLIA-2020 activation: /ActivationHandler should... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

The url /ActivationHandler is not protected and if you activate a new item the security checks are bypassed (import)

As from 3.5.4, the default activation URL is .magnolia/activation - The old url is supported through a VirtualURI



 Comments   
Comment by Philipp Bracher [ 24/Jan/08 ]

On 3.5 instances before 3.5.4 make sure that the url /ActivationHandler is protected (deny access to the anonymous role)

Comment by Magnolia International [ 24/Jan/08 ]

please link related issues when appropriate - please use the multiple jira IDs in svn commit messages when appropriate

Generated at Mon Feb 12 03:32:38 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.