[Mono-bugs] [Bug 60482][Blo] Changed - Critical bug in ASP.NET UrlAuthorization Module (beta 3)

bugzilla-daemon@bugzilla.ximian.com bugzilla-daemon@bugzilla.ximian.com
Sun, 20 Jun 2004 21:02:47 -0400 (EDT)


Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by davidandrewtaylor@hotmail.com.

http://bugzilla.ximian.com/show_bug.cgi?id=60482

--- shadow/60482	2004-06-20 20:49:33.000000000 -0400
+++ shadow/60482.tmp.29914	2004-06-20 21:02:47.000000000 -0400
@@ -2,13 +2,13 @@
 Product: Mono: Class Libraries
 Version: unspecified
 OS: Red Hat 9.0
 OS Details: 
 Status: NEW   
 Resolution: 
-Severity: 
+Severity: Unknown
 Priority: Blocker
 Component: Sys.Web
 AssignedTo: mono-bugs@ximian.com                            
 ReportedBy: davidandrewtaylor@hotmail.com               
 QAContact: mono-bugs@ximian.com
 TargetMilestone: ---
@@ -55,6 +55,15 @@
 <deny> element, it returns the 401 status code. Applications or sites can 
 easily configure a <deny users="*"> element at the top level of their 
 site or application to prevent this behavior.  If an <allow> matches, the 
 module does nothing and lets the request be processed further.
 
 I will post some sample testcases.
+
+------- Additional Comments From davidandrewtaylor@hotmail.com  2004-06-20 21:02 -------
+Download the following 5 attached files into a directory and start 
+XSP.  Then try to view the following 3 pages in a web browser.  Note 
+that the MS.NET implementation is correct and MONO is incorrect.
+Results:
+page1.aspx: MONO-Viewable. MS.NET-Blocked.
+page2.aspx: MONO-Blocked. MS.NET-Viewable. 
+page3.aspx: MONO-Viewable. MS.NET-Blocked.