https://bugzilla.novell.com/show_bug.cgi?id=659791
https://bugzilla.novell.com/show_bug.cgi?id=659791#c0 Summary: Client Access Policy fails when multiple domains are in the allow from (e.g. http + https) Classification: Mono Product: Mono: Class Libraries Version: 2.8.x Platform: All OS/Version: All Status: NEW Severity: Normal Priority: P5 - None Component: System.Security AssignedTo: [email protected] ReportedBy: [email protected] QAContact: [email protected] Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 If you access a site that lists multiple domains in the allow from, the policy will be rejected because there is only a single "Scheme" field in the AllowFrom class. I'm not sure on the best fix, but perhaps Scheme should be turned into a bitfield of allowable Schemes rather than a string. In System.Net.Policy.ClientAccessPolicy.ReadAllowFromElement(), as each domain is parsed, it overrides the previous parsed domains in the Scheme property. Then in System.Net.Policy.AllowFrom.IsAllowed(), only the last Scheme is checked against. for example, consider a policy file like: <?xml version="1.0" encoding="utf-8"?> <access-policy> <cross-domain-access> <policy> <allow-from http-request-headers="*"> <domain uri="http://*"; /> <domain uri="https://*"; /> </allow-from> <grant-to> <resource path="/ts-1.0" include-subpaths="true" /> </grant-to> </policy> </cross-domain-access> </access-policy> Then the Scheme will be set to "https" and "http" will be denied. Reproducible: Always Steps to Reproduce: open up a web request to a server with multiple policies and you will get a SecurityException. A publicly available one that I've been using is "http://nobel.niwsc.com/ts-1.0/LVWSSysAdmin/GetAllUserServices"; I've attached a small test case that accesses this uri. I've been running it with the current GIT version of Moonlight on linux. I included both a xap and the source code as well as a Visual Studio solution used to build it. If you open up index.html under Firefox with a current Moonlight plugin you'll see various SecurityException errors on the console. Actual Results: SecurityException Expected Results: xml file containing "TimeServer" I'd be happy to test and verify any patches since Moonlight can be a bit of a hassle if you don't already have it set up. I'm a bit new to mono so I'm not sure how to best produce a non-Moonlight example that enforces the client access policy... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug. _______________________________________________ mono-bugs maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-bugs
