You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Juergen Donnerstag (JIRA)" <ji...@apache.org> on 2008/12/24 11:36:46 UTC

[jira] Commented: (WICKET-1992) SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.

    [ https://issues.apache.org/jira/browse/WICKET-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12659079#action_12659079 ] 

Juergen Donnerstag commented on WICKET-1992:
--------------------------------------------

according to my tests web.xml is not accessible. Wicket will through an IllegalArgumentException. That would mean that only files in web-inf/classes are accessible but not files in web-inf. 

log4j.properties is protected by PackageResourceGuard. But log4j.xml and applicationContext.xml are accessible => not good.

I agree with "Wicket should be secure by default". May be a solution could be:
- all resources registered with the application are allowed because the developer by purpose added it
- lazily loading resources without registration is deactivated by default. Can be enabled by devs at their own risk.
- PackageResourceGuard to deny access to any resource by default. Access can be granted per Package (with and without subpackages) and files (pattern)
- Add additional path/filename.extensions of well known config files to PackageResourceGuard which are denied by default and can not easily be removed from the list.

> SharedResourceRequestTarget allows access to almost arbitrary files under WEB-INF.
> ----------------------------------------------------------------------------------
>
>                 Key: WICKET-1992
>                 URL: https://issues.apache.org/jira/browse/WICKET-1992
>             Project: Wicket
>          Issue Type: Bug
>    Affects Versions: 1.3.5, 1.4-RC1
>            Reporter: Sebastiaan van Erk
>            Priority: Critical
>
> Hi All,
> I've just run into what I consider a bit of a security issue with the SharedResourceRequestTarget. It allows me to load files from the /WEB-INF directory (though I have to guess the file names).
> For example, if I see there is some bookmarkable page in the app with the name com.myapp.pages.MyBookMarkablePage, I can request the following URL:
> http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xml
> Replace log4j.xml with applicationContext.xml, or any other guesses for useful files.
> In both these files it is more than possible that there is sensitive information such as database urls and passwords or mail server usernames and passwords (though if you use a property configurator in Spring you might be lucky since the password is then contained in a .properties file, which is blocked by Wicket).
> Of course there may be lots of other sensitive files in WEB-INF.
> I know about the IPackageResourceGuard interface, however, only since today, after looking into this problem. :-) I could build my own implementation with a default deny policy and open up package resources on a need to have basis. However, I REALLY think that Wicket should be secure by default, and a better solution to this problem should be found...
> Regards,
> Sebastiaan 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.