Ticket #98 (closed defect: fixed)

Opened 4 years ago

Last modified 4 years ago

Annotation based security is easy to bypass by adding ".html' to the URL

Reported by: Gavin Owned by: Gavin
Priority: blocker Milestone: 0.8 - Purchasing and Inventory Improvements
Component: gnuMims - application security Version: trunk
Keywords: Cc:

Description

Upstream security issue, see: http://jira.grails.org/browse/GPACEGI-41

Recommended fix is to set Config.groovy: grails.mime.file.extensions = false

This did not leave gnuMims completely open to the world since gnuMims was configured with pessimistic security. However a logged in user may access urls that they are not authorised to.

Change History

comment:1 Changed 4 years ago by Gavin

  • Status changed from new to closed
  • Resolution set to fixed

Fixed in r887.

Note: See TracTickets for help on using tickets.