msmith 02/01/30 21:36:11
Modified: src/share/org/apache/slide/security SecurityImpl.java
Log:
Fix for security hole:
If we have an object /files/a, and an object /files/ab, and a user has
inheritable permission(s) on /files/a, then they were able to also use those
permission(s) on /files/ab, due to a bug in the checking.
Rather than allowing anything starting with /files/a, we allow only /files/a
and anything starting with /files/a/ (the latter case being correctly allowed
by the inheritable flag).
Revision Changes Path
1.28 +37 -32
jakarta-slide/src/share/org/apache/slide/security/SecurityImpl.java
Index: SecurityImpl.java
===================================================================
RCS file:
/home/cvs/jakarta-slide/src/share/org/apache/slide/security/SecurityImpl.java,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- SecurityImpl.java 12 Sep 2001 13:50:32 -0000 1.27
+++ SecurityImpl.java 31 Jan 2002 05:36:11 -0000 1.28
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-slide/src/share/org/apache/slide/security/SecurityImpl.java,v 1.27
2001/09/12 13:50:32 juergen Exp $
- * $Revision: 1.27 $
- * $Date: 2001/09/12 13:50:32 $
+ * $Header:
/home/cvs/jakarta-slide/src/share/org/apache/slide/security/SecurityImpl.java,v 1.28
2002/01/31 05:36:11 msmith Exp $
+ * $Revision: 1.28 $
+ * $Date: 2002/01/31 05:36:11 $
*
* ====================================================================
*
@@ -77,7 +77,7 @@
* Security helper.
*
* @author <a href="mailto:[EMAIL PROTECTED]";>Remy Maucherat</a>
- * @version $Revision: 1.27 $
+ * @version $Revision: 1.28 $
*/
public final class SecurityImpl implements Security {
@@ -436,7 +436,7 @@
Uri subjectUri = namespace.getUri(subject.getUri());
Uri actionUri = namespace.getUri(action.getUri());
-
+
while (!granted && !denied && !rootObjectReached) {
Uri courUri = namespace.getUri(courObject.getUri());
@@ -455,12 +455,14 @@
if (permissionSubject.equals("~")) {
boolean check;
+ check = object.getUri().equals(subjectUri.toString());
if (permission.isInheritable()) {
- check =
- object.getUri().startsWith(subjectUri.toString());
- } else {
- check = object.getUri().equals(subjectUri.toString());
- }
+ String subjectUriString = subjectUri.toString();
+ if(!subjectUriString.endsWith("/"))
+ subjectUriString = subjectUriString + "/";
+
+ check |= object.getUri().startsWith(subjectUriString);
+ }
// Self permission
granted = (!permission.isNegative())
@@ -478,16 +480,18 @@
if (permissionSubject.startsWith("/")) {
// Node permission
- granted = (!permission.isNegative())
- && (subjectUri.toString()
- .startsWith(permission.getSubjectUri()))
- && (actionUri.toString()
- .startsWith(permission.getActionUri()));
- denied = (permission.isNegative())
- && (subjectUri.toString()
- .startsWith(permission.getSubjectUri()))
- && (actionUri.toString()
- .startsWith(permission.getActionUri()));
+
+ String permSubj = permission.getSubjectUri();
+ if(!permSubj.endsWith("/"))
+ permSubj = permSubj + "/";
+ boolean match = subjectUri.toString().
+ equals(permission.getSubjectUri()) ||
+ subjectUri.toString().startsWith(permSubj);
+ match &= actionUri.toString().
+ startsWith(permission.getActionUri());
+
+ granted = (!permission.isNegative()) && match;
+ denied = permission.isNegative() && match;
} else if (permissionSubject.startsWith("+")) {
@@ -522,19 +526,20 @@
((LinkNode) childNode)
.getLinkedUri() :
childNode.getUri() ;
+
+ if(!childSubjectUri.endsWith("/"))
+ childSubjectUri = childSubjectUri+"/";
+
+ boolean match = subjectUri.toString().
+ equals(childSubjectUri) ||
+ subjectUri.toString().
+ startsWith(childSubjectUri+"/");
+ match &= actionUri.toString().
+ startsWith(permission.getActionUri());
- granted = (!permission.isNegative())
- && (subjectUri.toString()
- .startsWith(childSubjectUri))
- && (actionUri.toString()
- .startsWith
- (permission.getActionUri()));
- denied = (permission.isNegative())
- && (subjectUri.toString()
- .startsWith(childSubjectUri))
- && (actionUri.toString()
- .startsWith
- (permission.getActionUri()));
+ granted = (!permission.isNegative()) &&
+ match;
+ denied = permission.isNegative() && match;
granted = granted | oldGranted;
denied = denied | oldDenied;
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
