Richard Frovarp wrote:
Andreas Hartmann wrote:
Hi Richard,
Richard Frovarp schrieb:
How are permission on /pub/modules/something calculated?
the pub/modules directory is not covered by the access control.
This directory has no special meaning, it is just used by the
default publication to provide some modules. Actually it shouldn't
be copied to the build tree.
Sorry, I should have been more clear. I was talking about URLs of that
form, so
http://lenya.zones.apache.org:9999/default/modules/kupu/kupu/common/sarissa.js
for example. It would appear that this is controlled from from
config/access-control/policies/modules/subtree-policy.acml?
interesting. i wasn't even aware that we have access control for those
resources, and it's wrong imho - looks like this can easily be bypassed
by just calling
http://lenya.zones.apache.org:9999/modules/kupu/kupu/common/sarissa.js.
so it gives a false sense of security, which is a critical bug.
how do we remove this? or was it put in for a reason?
--
Jörn Nettingsmeier
"One of my most productive days was throwing away 1000 lines of code."
- Ken Thompson.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
