Actions
Feature #2003
openSupport for granting access to static resource only to authenticated/authorized users
Status:
New
Priority:
Normal
Assignee:
Radek Tomiška
Category:
-
Target version:
-
Start date:
01/06/2020
Due date:
% Done:
0%
Estimated time:
Owner:
Description
IdM currently has images and message catalogs ("locales") in publicly-accessible directory.
This is not a product-security issue since whole IdM source (including locales) is publicly available on GitHub. But if we implement project-specific changes to FE, those changes do have separate locale file and such file is also publicly-accessible. This results in possible information disclosure vulnerability because we could be leaking meaningful project-specific GUI messages.
For example (and discussion), see private message below.
We should have the ability to hide some images/locales/other static resources behind IdM authentication.
Actions