Project

General

Profile

Actions

Feature #2003

open

Support for granting access to static resource only to authenticated/authorized users

Added by Petr Fišer almost 5 years ago. Updated almost 5 years ago.

Status:
New
Priority:
Normal
Assignee:
Radek Tomiška
Category:
-
Target version:
-
Start date:
01/06/2020
Due date:
% Done:

0%

Estimated time:
Owner:

Description

IdM currently has images and message catalogs ("locales") in publicly-accessible directory.
This is not a product-security issue since whole IdM source (including locales) is publicly available on GitHub. But if we implement project-specific changes to FE, those changes do have separate locale file and such file is also publicly-accessible. This results in possible information disclosure vulnerability because we could be leaking meaningful project-specific GUI messages.
For example (and discussion), see private message below.

We should have the ability to hide some images/locales/other static resources behind IdM authentication.

Actions

Also available in: Atom PDF