[Dspace-devel] [DuraSpace JIRA] (DS-304) XMLUI's METS generator ignores authorization

Wed, 13 Feb 2013 11:41:45 -0800 

     [ 
https://jira.duraspace.org/browse/DS-304?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Tim Donohue updated DS-304:
---------------------------

    Status: Volunteer Needed  (was: Received)

Discussed this ticket again today. 

It seems like the "simple fix" may be to see if we can restrict access to the 
"mets.xml" files generated by XMLUI.  They likely should just be internal-only 
and not publicly accessible to the world.  

However, we need a volunteer to look into it.
                
> XMLUI's METS generator ignores authorization
> --------------------------------------------
>
>                 Key: DS-304
>                 URL: https://jira.duraspace.org/browse/DS-304
>             Project: DSpace
>          Issue Type: Bug
>          Components: XMLUI
>    Affects Versions: 1.5.0, 1.5.1, 1.5.2
>            Reporter: Kim Shepherd
>
> (apologies if this is a duplicate, I couldn't find any related issues, though 
> I know the OAI interface has been under similar scrunity)
> By default, XMLUI will generate and send METS metadata for a DSO if the URL 
> pattern matches: metadata/handle/*/*/**
> Item/collection/community authorisations are not checked by 
> DSpaceMETSGenerator first, which means that items with no anonymous READ 
> access, items with [Harvard/MIT-style] embargos applied, etc. are still 
> ultimately exposing metadata to users and machines who know who to take 
> advantage of this bug.
> I am not sure whether this should be handled by patching DSpaceMETSGenerator 
> or disabling the pattern match in sitemap.xmap by default and documenting its 
> behaviour thoroughly, so admins can enable it once they are sure they are 
> happy with unrestricted metadata access.
> I can't promise these URLs will remain live/relevant forever, but you can 
> quickly replicate this bug by viewing:
> http://www.anonymous.org.nz:8180/handle/123456789/23
> http://www.anonymous.org.nz:8180/metadata/handle/123456789/23/mets.xml
> Any comments/suggestions?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel

Reply via email to