Ticket #98 (closed defect: fixed)

Opened 3 years ago

Last modified 3 years ago

Annotation based security is easy to bypass by adding ".html' to the URL

Reported by: Gavin Owned by: Gavin
Priority: blocker Milestone: 0.8 - Purchasing and Inventory Improvements
Component: gnuMims - application security Version: trunk
Keywords: Cc:

Description

Upstream security issue, see:  http://jira.grails.org/browse/GPACEGI-41

Recommended fix is to set Config.groovy: grails.mime.file.extensions = false

This did not leave gnuMims completely open to the world since gnuMims was configured with pessimistic security. However a logged in user may access urls that they are not authorised to.

Change History

Changed 3 years ago by Gavin

  • status changed from new to closed
  • resolution set to fixed

Fixed in r887.

Note: See TracTickets for help on using tickets.