Project

General

Profile

Actions
Copy link

Feature #2003

open

Support for granting access to static resource only to authenticated/authorized users

Added by Petr Fišer over 4 years ago. Updated over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
Radek Tomiška
Category:
-
Target version:
-
Start date:
01/06/2020
Due date:
% Done:

0%

Estimated time:
Owner:

Description

IdM currently has images and message catalogs ("locales") in publicly-accessible directory.
This is not a product-security issue since whole IdM source (including locales) is publicly available on GitHub. But if we implement project-specific changes to FE, those changes do have separate locale file and such file is also publicly-accessible. This results in possible information disclosure vulnerability because we could be leaking meaningful project-specific GUI messages.
For example (and discussion), see private message below.

We should have the ability to hide some images/locales/other static resources behind IdM authentication.

Actions
Copy link
 #2

Updated by Petr Fišer over 4 years ago

  • Subject changed from Support for granting access to static resource only to authenticated users to Support for granting access to static resource only to authenticated/authorized users
Actions
Copy link
 #3

Updated by Radek Tomiška over 4 years ago

  • Assignee set to Radek Tomiška
Actions
Copy link

Also available in: Atom PDF