[
https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12659088#action_12659088
]
Sebastiaan van Erk commented on WICKET-1992:
--------------------------------------------
I agree that the WEB-INF dir itself is not accessible.
However, anything in the the classpath is, provided you are able to find a
class with the correct classloader. Since Wicket does not generally hide
classnames to the external world, in some cases (e.g., bookmarkable pages)
that's easy.
I think the $up$ should be disabled, I don't really see the need for it and
it's rather dangerous.
But I also think that's still not enough. Any jar in the WEB-INF/lib is a
potential target for resources being accessible from the outside world, simply
by finding/guessing a class in the target lib and asking it for the resource
your are interested in.
I do not agree with:
> Then wicket is way more safe by default because only resources that are in
> the same dir or in one of its children are accessible
> and those are default protectd by PackageResourceGuard
> (class/java/html/properties should be guarded i guess by default)
> and then it is pretty safe because in those dirs users dont have sensitive
> config data. Only data that is really for that component.
Because this assumes that the class you're using in the resource request is a
component, but in fact in can be any class whatsover.
Personally I would prefer a default deny strategy where the resource class
itself implements the IPackageResourceGuard interface. That is, the resource
class ITSELF determines if the resource request is allowed. If the interface is
not implemented, then it should default to not being allowed.
This way libraries can in an encapsulated way control access to resources in
their own jar file/package hieararchy, but you can never request anything that
is not expressly allowed.
> SharedResourceRequestTarget allows access to almost arbitrary files under
> WEB-INF.
> ----------------------------------------------------------------------------------
>
> Key: WICKET-1992
> URL: https://issues.apache.org/jira/browse/WICKET-1992
> Project: Wicket
> Issue Type: Bug
> Affects Versions: 1.3.5, 1.4-RC1
> Reporter: Sebastiaan van Erk
> Priority: Critical
>
> Hi All,
> I've just run into what I consider a bit of a security issue with the
> SharedResourceRequestTarget. It allows me to load files from the /WEB-INF
> directory (though I have to guess the file names).
> For example, if I see there is some bookmarkable page in the app with the
> name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
> Replace log4j.xml with applicationContext.xml, or any other guesses for
> useful files.
> In both these files it is more than possible that there is sensitive
> information such as database urls and passwords or mail server usernames and
> passwords (though if you use a property configurator in Spring you might be
> lucky since the password is then contained in a .properties file, which is
> blocked by Wicket).
> Of course there may be lots of other sensitive files in WEB-INF.
> I know about the IPackageResourceGuard interface, however, only since today,
> after looking into this problem. :-) I could build my own implementation with
> a default deny policy and open up package resources on a need to have basis.
> However, I REALLY think that Wicket should be secure by default, and a better
> solution to this problem should be found...
> Regards,
> Sebastiaan
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
