[MGNLADMLEG-48] PageMVCServlet should be using AggregationState or normalize URLs and be stricter when looking up which page to serve Created: 19/Nov/13  Updated: 23/Jan/14  Resolved: 30/Dec/13

Status: Closed
Project: Admininterface Legacy 4.x (closed)
Component/s: None
Affects Version/s: None
Fix Version/s: 5.2.2

Type: Bug Priority: Critical
Reporter: Magnolia International Assignee: Roman Kovařík
Resolution: Fixed Votes: 0
Labels: next
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Cloners
is cloned by MAGNOLIA-5621 CLONE - PageMVCServlet should be usin... Closed
Relates
relates to MAGNOLIA-5506 Default roles have weak URI security ... Open
Template:
Acceptance criteria:
Empty

 Description   

Default roles have denies such as /.magnolia/pages/configuration*.
However, with the current implementation of info.magnolia.module.admininterface.PageMVCServlet, any user who has access to /.magnolia (but not this specific page, as is the case for the eric sample user), security can be bypassed by simply requesting /.magnolia/pages/FOO/BAR/configuration.html



 Comments   
Comment by Magnolia International [ 19/Nov/13 ]

I would suggest to

  • use a very strict pattern (not "whatever comes after the last slash" as currently)
  • NOT use request attributes nor parameters anymore (not sure why we ever did)
  • Only use AggregationState - or the request object, if we end up wrapping it (see MAGNOLIA-5465)
Generated at Sun Feb 11 23:09:04 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.