[jboss-jira] [JBoss JIRA] (WFLY-2637) Don't allow audit logs to be viewed with list-log-files and read-log-file operations
James Perkins (JIRA)
issues at jboss.org
Thu Jan 2 12:33:32 EST 2014
[ https://issues.jboss.org/browse/WFLY-2637?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12933419#comment-12933419 ]
James Perkins commented on WFLY-2637:
-------------------------------------
Just a general comment so I don't forget, this whole thing should be looked at again. Ideally we don't want to turn {{jboss.server.log.dir}} into a generic file server directory for these commands. One option is to only allow defined file handlers files to be listed/read, but this posses security concerns.
> Don't allow audit logs to be viewed with list-log-files and read-log-file operations
> ------------------------------------------------------------------------------------
>
> Key: WFLY-2637
> URL: https://issues.jboss.org/browse/WFLY-2637
> Project: WildFly
> Issue Type: Enhancement
> Security Level: Public(Everyone can see)
> Components: Logging
> Reporter: James Perkins
> Assignee: James Perkins
>
> Currently the {{list-log-files}} and {{read-log-file}} operations will allow any file {{jboss.server.log.dir}} to be listed/viewed. Ideally only log files will be accessible, but ultimately audit logs need to definitely not be accessible.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list