[MAGNOLIA-5621] CLONE - PageMVCServlet should be using AggregationState or normalize URLs and be stricter when looking up which page to serve Created: 13/Jan/14  Updated: 14/Jan/14  Resolved: 13/Jan/14

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: None
Fix Version/s: 4.4.13, 4.5.16

Type: Bug Priority: Critical
Reporter: Magnolia International Assignee: Milan Divilek
Resolution: Fixed Votes: 0
Labels: next
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Cloners
clones MGNLADMLEG-48 PageMVCServlet should be using Aggreg... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Release notes required:
Yes

 Description   

Default roles have denies such as /.magnolia/pages/configuration*.
However, with the current implementation of info.magnolia.module.admininterface.PageMVCServlet, any user who has access to /.magnolia (but not this specific page, as is the case for the eric sample user), security can be bypassed by simply requesting /.magnolia/pages/FOO/BAR/configuration.html


Generated at Mon Feb 12 04:06:50 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.