![]() |
|
|
|
|
Change By:
|
Roman Kovařík
(06/Sep/13 3:38 PM)
|
|
Description:
|
# Images are displayed even if no
The content can be accessed with any
extension
is defined
:
Try to open
http://localhost:8080/magnoliaAuthor/
.imaging/stk/pop/content-small/dms/
demo-project
.zzzzzzzzzzz
Due to this fact the security scans can see source code disclosure vulnerability in tweaked Magnolia image URLs, see SUPPORT-2505.
We should provide optional filter for denying of this behaviour.
*Filter name*: {{ExtensionFilter
/
img
ExtensionCheckFilter}}
We can filter extensions which are not defined in {{server
/
bk/Opener/staircase
MIME
-
from
mapping}} and we won't probably check if it's correct extension for this content. Modules like dms MGNLDMS
-
above/document/staircase%20from%20above
218 or imaging MGNLIMG-115 already take care of this problem independently.
# You can access the
*Problems:* It's possible to invoke variations with variation extension. If we deny accessing of
content with any extension
:
, then variations wouldn't be accessible with URI extension.
http
*Possible solution
:
*
# We would have merged list of all supported extension including variations names. (MIME-types + variations names)
# search for extension in list of variation names and in {{server
/
MIME-mapping}}
# variation names under {{server
/
localhost:8080/magnoliaAuthor/demo
MIMEmapping}} as mime
-
project.zzzzzzzzzzz
type {{variation}}
|
|
|
|
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: <
[email protected]>
----------------------------------------------------------------
