Menu
▾
▴
#1 Patch for Security Issue Relating to Uploaded Files
In bodington 2.1.0 RC1 and earlier it was possible that
anonymous web users could browse uploaded file area.
This depended on the configuration of the host web
server. The patch below secures these file areas. The
patch assumes that the web server correctly follows the
Java Servlet Specification 2.3 and applies no security
constraints on the servlet's use of the include method.
Add the following to the web.xml deployment descriptor
of the bodington web application;
<!-- Security constraints are only used to protect
user files from direct access -->
<!-- Bodington authentication and authorisation are
handled inside the servlet. -->
<security-constraint>
<web-resource-collection>
<web-resource-name>user_files</web-
resource-name>
<description>User files are only accessed
through include method.</description>
<url-pattern>/files/*</url-pattern>
<url-pattern>/generated/*</url-pattern>
<!-- no http_method specified so all methods
are covered -->
</web-resource-collection>
<auth-constraint>
<!-- no role_name elements means no access
allowed -->
</auth-constraint>
<!-- no user_data_constraint because constraining
transport method is relevant -->
</security-constraint>
The patch is commited to the version control system
and will be incorporated in future releases.
