https://bugzilla.novell.com/show_bug.cgi?id=467221
https://bugzilla.novell.com/show_bug.cgi?id=467221#c11 Mike Morano <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |ASSIGNED Summary|asp.net security trimming / |[PATCH] asp.net security |authorization not working |trimming / authorization | |not working --- Comment #11 from Mike Morano <[email protected]> 2010-11-20 20:04:04 UTC --- Hello, I have finally found a bit of time to work on this, and have a more conservative fix to the issue, and am running this now on my current site with expected behavior. When the sitemap is looking for an applicable node for security trimming, it will call the new method which can return a configuration location that represents the most specific path configured for the requested url. I have not observed any negative side effects of this code with my website: diff --git a/mcs/class/System.Configuration/System.Configuration/Configuration.cs b/mcs/class/System.Configuration/System.Configuration/Configuration.cs index b8a3df7..6f80617 100644 --- a/mcs/class/System.Configuration/System.Configuration/Configuration.cs +++ b/mcs/class/System.Configuration/System.Configuration/Configuration.cs @@ -100,7 +100,7 @@ namespace System.Configuration { if (relativePath.StartsWith (relConfigPath, StringComparison.Ordinal)) relativePath = relativePath.Substring (relConfigPath.Length); - ConfigurationLocation loc = Locations.Find (relativePath); + ConfigurationLocation loc = Locations.FindBest (relativePath); if (loc == null) return parentConfig; diff --git a/mcs/class/System.Configuration/System.Configuration/ConfigurationLocationCollection.cs b/mcs/class/System.Configuration/System.Configuration/ConfigurationLocationCollection.cs index c5a439b..b8f8ed3 100644 --- a/mcs/class/System.Configuration/System.Configuration/ConfigurationLocationCollection.cs +++ b/mcs/class/System.Configuration/System.Configuration/ConfigurationLocationCollection.cs @@ -54,6 +54,37 @@ namespace System.Configuration { return loc; return null; } + + internal ConfigurationLocation FindBest (string location) + { + if(location == null) + return null; + + ConfigurationLocation bestMatch = null; + + foreach (ConfigurationLocation loc in InnerList) + { + if(location.StartsWith(loc.Path, StringComparison.OrdinalIgnoreCase)) + { + // ensure path based comparisons consider full directory names (i.e. so 'admin' does not match an 'administration' path) + if(location.Length > loc.Path.Length && location[loc.Path.Length] != '/') + { + continue; + } + + if(bestMatch == null) + { + bestMatch = loc; + } + else if(bestMatch.Path.Length < loc.Path.Length) + { + bestMatch = loc; + } + } + } + + return bestMatch; + } } } I believe there could be one other enhancement to this patch, which is not included in the above. For example, consider the following in a web.config: <location path="admin"> <system.web> <authorization> ... </authorization> </system.web> </location> <location path="admin/upload"> <system.web> <httpRuntime /> </system.web> </location> To determine the security settings of a file in the admin/upload path, you would need to consider the setting in "admin", as this is the most specific location that specifies the authorization rules. I have not tested this, but currently I might expect to see that "admin/upload" location would be used to try and identify the authorization rule, but would not be defined there. As such, there could be a need to know the config section that is of interest as part of this search, as it would need to return a configuration location that contains the settings that are needed (in this example, the system.web/authorization section). Of course a data structure could be used to track the different configured paths, but that looks like it would be quite an undertaking. Please let me know if you have any questions. Thanks, Mike </location> -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug. _______________________________________________ mono-bugs maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-bugs
