[
https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12659080#action_12659080
]
Johan Compagner commented on WICKET-1992:
-----------------------------------------
everything is now pretty lazy so the point:
> lazily loading resources without registration is deactivated by default. Can
> be enabled by devs at their own risk.
will be horrible if we turn that back to what wicket was previously (that
everything has to be loaded up front)
also over server restarts or clustering. Then everything has to be done by the
IInitializers again. Which most people dont use.
I think what could be disabled by default is this setting:
CharSequence getParentFolderPlaceholder();
By default i think that setting should be null.
Then wicket is way more safe by default because only resources that are in the
same dir or in one of its children are accessible
and those are default protectd by PackageResourceGuard
(class/java/html/properties should be guarded i guess by default)
and then it is pretty safe because in those dirs users dont have sensitive
config data. Only data that is really for that component.
Then in the doc of that get/set ParentFolderPlaceholder we should warn them
that they also should set a right PackageResourceGuard if this property is set
because if the inherited dangers this property generates.
I dont think WEB-INF can be accessed either because looking at sebs url:
http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
this would be the dir:
http://www.mydomain.com/resources/MyBookMarkablePage/log4j.xml
and that is the WEB-INF/classes dir not the WEB-INF itself
But in that dir there is a lot of config data also so going up just has to be
disabled by default.
> SharedResourceRequestTarget allows access to almost arbitrary files under
> WEB-INF.
> ----------------------------------------------------------------------------------
>
> Key: WICKET-1992
> URL: https://issues.apache.org/jira/browse/WICKET-1992
> Project: Wicket
> Issue Type: Bug
> Affects Versions: 1.3.5, 1.4-RC1
> Reporter: Sebastiaan van Erk
> Priority: Critical
>
> Hi All,
> I've just run into what I consider a bit of a security issue with the
> SharedResourceRequestTarget. It allows me to load files from the /WEB-INF
> directory (though I have to guess the file names).
> For example, if I see there is some bookmarkable page in the app with the
> name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
> Replace log4j.xml with applicationContext.xml, or any other guesses for
> useful files.
> In both these files it is more than possible that there is sensitive
> information such as database urls and passwords or mail server usernames and
> passwords (though if you use a property configurator in Spring you might be
> lucky since the password is then contained in a .properties file, which is
> blocked by Wicket).
> Of course there may be lots of other sensitive files in WEB-INF.
> I know about the IPackageResourceGuard interface, however, only since today,
> after looking into this problem. :-) I could build my own implementation with
> a default deny policy and open up package resources on a need to have basis.
> However, I REALLY think that Wicket should be secure by default, and a better
> solution to this problem should be found...
> Regards,
> Sebastiaan
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
