[magnolia-dev] [JIRA] Resolved: (MAGNOLIA-1744) Content can be changed on a public instance by executing links designed for the MgnlInterceptFilter

Fri, 28 Sep 2007 01:52:10 -0700 

     [ http://jira.magnolia.info/browse/MAGNOLIA-1744?page=all ]

Philipp Bracher resolved MAGNOLIA-1744.
---------------------------------------

    Fix Version/s: 3.0.4
       Resolution: Fixed

I fixed the issue by setting the default permission to read.

In magnolia 3.1 we have now a much better security concept where you assign 
permissions to the anonymous role more clearly. In 3.1 we also distinguish 
between url and content protection.

> Content can be changed on a public instance by executing links designed for 
> the MgnlInterceptFilter
> ---------------------------------------------------------------------------------------------------
>
>                 Key: MAGNOLIA-1744
>                 URL: http://jira.magnolia.info/browse/MAGNOLIA-1744
>             Project: Magnolia
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.0.3
>            Reporter: Daniel Knobloch
>         Assigned To: Philipp Bracher
>            Priority: Blocker
>             Fix For: 3.0.4
>
>
> It is possible to change content on a Magnolia public instance by executing 
> links like the following:
> http://localhost:8080/public/home/partner.html?mgnlCK=1189687249674&mgnlIntercept=NODE_SORT&mgnlPathSelected=/home/partner/maincont/01&mgnlPathSortAbove=/home/partner/maincont/00
> This link - for example - moves a content node inside the node hierarchy.
> Maybe here is a good solution for this problem:
> The main problem is that the user's authority isn't checked inside the 
> MgnlInterceptFilter.
> Inside the "doFilter"-Method the code should be changed like this:
> if (isAuthorized(request, response) && Server.isAdmin()) { ... }
> This solution helps to prevent executing those "evil" links in the public 
> instance.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.magnolia.info/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

----------------------------------------------------------------
for list details see
http://documentation.magnolia.info/docs/en/editor/stayupdated.html
----------------------------------------------------------------

Reply via email to