Could you file a JIRA on this? On Mon, Dec 22, 2008 at 9:10 AM, Sebastiaan van Erk <[email protected]>wrote:
> Hi All, > > I've just run into what I consider a bit of a security issue with the > SharedResourceRequestTarget. It allows me to load files from the /WEB-INF > directory (though I have to guess the file names). > > For example, if I see there is some bookmarkable page in the app with the > name com.myapp.pages.MyBookMarkablePage, I can request the following URL: > > > http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml > > Replace log4j.xml with applicationContext.xml, or any other guesses for > useful files. > > In both these files it is more than possible that there is sensitive > information such as database urls and passwords or mail server usernames and > passwords (though if you use a property configurator in Spring you might be > lucky since the password is then contained in a .properties file, which is > blocked by Wicket). > > Of course there may be lots of other sensitive files in WEB-INF. > > I know about the IPackageResourceGuard interface, however, only since > today, after looking into this problem. :-) I could build my own > implementation with a default deny policy and open up package resources on a > need to have basis. However, I REALLY think that Wicket should be secure by > default, and a better solution to this problem should be found... > > Regards, > Sebastiaan > -- Jeremy Thomerson http://www.wickettraining.com
