Grails
  1. Grails
  2. GRAILS-7542

Views are accessible via a URL pattern

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.4-M1
    • Fix Version/s: 2.0-M1
    • Component/s: View technologies
    • Labels:
      None
    • Environment:
      NA

      Description

      I discussed this on the DEV mailing list here:

      http://grails.1312388.n4.nabble.com/grails-app-views-td3547599.html

      And here's an example showing how this bug can be used to bypass security:

      grails create-app sampleapp
      cd sampleapp
      grails install-plugin spring-security-core
      grails s2-quickstart com.sampleapp User Role
      grails create-controller com.sampleapp.secure

      Edit sampleapp/grails-app/controllers/com/sampleapp/SecureController.groovy

      package com.sampleapp
      import grails.plugins.springsecurity.Secured
      @Secured(['ROLE_USER']) 
      class SecureController {
          def index = {}
      }
      

      Edit sampleapp/grails-app/views/secure/index.gsp

      <p>Secure access should be required to view this page.</p>
      

      This URL correctly redirects to the default login page and content can't be viewed.
      http://localhost:8080/sampleapp/secure/index

      This URL does NOT redirect to login and secure content is viewable without logging in.
      http://localhost:8080/sampleapp/grails-app/views/secure/index.gsp

        Activity

        Hide
        Igor E. Poteryaev added a comment -

        URLs like

        http://localhost:8080/sampleapp/plugins/somePlugin-x.y/grails-app/views/secure/index.gsp

        are viewable too.

        Show
        Igor E. Poteryaev added a comment - URLs like http://localhost:8080/sampleapp/plugins/somePlugin-x.y/grails-app/views/secure/index.gsp are viewable too.

          People

          • Assignee:
            Graeme Rocher
            Reporter:
            Bobby Warner
          • Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development