0 Replies Latest reply on Feb 12, 2004 12:08 PM by mcscottmc

    Possible Security Hole

    mcscottmc Newbie

      I noticed that the way ComponentSupport implements getResource(String path) that any file in the module's sar is available for download over the web, including class files.

      If you design a custom module, make sure that you do not have any sensitive code in the sar. Another work-around is to override getResource(String) to have custom security logic (see HTMLModule) or just return null if you don't want to ever serve up resources.

      -Scott