[Mono-bugs] [Bug 60482][Blo] Changed - Critical bug in ASP.NET UrlAuthorization Module (beta 3)
bugzilla-daemon@bugzilla.ximian.com
bugzilla-daemon@bugzilla.ximian.com
Mon, 21 Jun 2004 21:51:05 -0400 (EDT)
Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.
Changed by davidandrewtaylor@hotmail.com.
http://bugzilla.ximian.com/show_bug.cgi?id=60482
--- shadow/60482 2004-06-20 21:05:55.000000000 -0400
+++ shadow/60482.tmp.14369 2004-06-21 21:51:05.000000000 -0400
@@ -89,6 +89,32 @@
------- Additional Comments From davidandrewtaylor@hotmail.com 2004-06-20 21:05 -------
Created an attachment (id=8255)
File 5: test page 3
+
+------- Additional Comments From davidandrewtaylor@hotmail.com 2004-06-21 21:51 -------
+In the following file:
+AuthorizationConfig.cs
+There is a foreach statement inside the Method:
+internal bool IsValidUser (IPrincipal user, string verb)
+
+I propose as a patch to fix this bug that we replace the foreach
+code block with this:
+
+foreach (UserData data in list)
+{
+ userMatch = (data.Users!=null && data.CheckUser
+(user.Identity.Name))
+ ? true : false;
+
+ roleMatch = (data.Roles!=null && data.CheckRole(user))
+ ? true : false;
+
+ verbMatch = (data.Verbs == null);
+ if (data.Verbs != null)
+ verbMatch = data.CheckVerb (verb);
+
+ if ((userMatch || roleMatch) && verbMatch)
+ return data.Allow;
+}