[
https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12659079#action_12659079
]
Juergen Donnerstag commented on WICKET-1992:
--------------------------------------------
according to my tests web.xml is not accessible. Wicket will through an
IllegalArgumentException. That would mean that only files in web-inf/classes
are accessible but not files in web-inf.
log4j.properties is protected by PackageResourceGuard. But log4j.xml and
applicationContext.xml are accessible => not good.
I agree with "Wicket should be secure by default". May be a solution could be:
- all resources registered with the application are allowed because the
developer by purpose added it
- lazily loading resources without registration is deactivated by default. Can
be enabled by devs at their own risk.
- PackageResourceGuard to deny access to any resource by default. Access can be
granted per Package (with and without subpackages) and files (pattern)
- Add additional path/filename.extensions of well known config files to
PackageResourceGuard which are denied by default and can not easily be removed
from the list.
> SharedResourceRequestTarget allows access to almost arbitrary files under
> WEB-INF.
> ----------------------------------------------------------------------------------
>
> Key: WICKET-1992
> URL: https://issues.apache.org/jira/browse/WICKET-1992
> Project: Wicket
> Issue Type: Bug
> Affects Versions: 1.3.5, 1.4-RC1
> Reporter: Sebastiaan van Erk
> Priority: Critical
>
> Hi All,
> I've just run into what I consider a bit of a security issue with the
> SharedResourceRequestTarget. It allows me to load files from the /WEB-INF
> directory (though I have to guess the file names).
> For example, if I see there is some bookmarkable page in the app with the
> name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
> Replace log4j.xml with applicationContext.xml, or any other guesses for
> useful files.
> In both these files it is more than possible that there is sensitive
> information such as database urls and passwords or mail server usernames and
> passwords (though if you use a property configurator in Spring you might be
> lucky since the password is then contained in a .properties file, which is
> blocked by Wicket).
> Of course there may be lots of other sensitive files in WEB-INF.
> I know about the IPackageResourceGuard interface, however, only since today,
> after looking into this problem. :-) I could build my own implementation with
> a default deny policy and open up package resources on a need to have basis.
> However, I REALLY think that Wicket should be secure by default, and a better
> solution to this problem should be found...
> Regards,
> Sebastiaan
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
