Opened 10 years ago

Closed 10 years ago

#98 closed defect (fixed)

Annotation based security is easy to bypass by adding ".html' to the URL

Reported by: Gavin Owned by: Gavin
Priority: blocker Milestone: 0.8 - Purchasing and Inventory Improvements
Component: gnuMims - application security Version: trunk
Keywords: Cc:


Upstream security issue, see:

Recommended fix is to set Config.groovy: grails.mime.file.extensions = false

This did not leave gnuMims completely open to the world since gnuMims was configured with pessimistic security. However a logged in user may access urls that they are not authorised to.

Change History (1)

comment:1 Changed 10 years ago by Gavin

Resolution: fixed
Status: newclosed

Fixed in r887.

Note: See TracTickets for help on using tickets.