[Mono-bugs] [Bug 60482][Blo] Changed - Critical bug in ASP.NET UrlAuthorization Module (beta 3)

bugzilla-daemon@bugzilla.ximian.com bugzilla-daemon@bugzilla.ximian.com
Mon, 21 Jun 2004 21:51:05 -0400 (EDT)


Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by davidandrewtaylor@hotmail.com.

http://bugzilla.ximian.com/show_bug.cgi?id=60482

--- shadow/60482	2004-06-20 21:05:55.000000000 -0400
+++ shadow/60482.tmp.14369	2004-06-21 21:51:05.000000000 -0400
@@ -89,6 +89,32 @@
 
 
 ------- Additional Comments From davidandrewtaylor@hotmail.com  2004-06-20 21:05 -------
 Created an attachment (id=8255)
 File 5: test page 3
 
+
+------- Additional Comments From davidandrewtaylor@hotmail.com  2004-06-21 21:51 -------
+In the following file:
+AuthorizationConfig.cs
+There is a foreach statement inside the Method:
+internal bool IsValidUser (IPrincipal user, string verb)
+
+I propose as a patch to fix this bug that we replace the foreach 
+code block with this:
+
+foreach (UserData data in list) 
+{
+  userMatch = (data.Users!=null && data.CheckUser
+(user.Identity.Name))
+    ? true : false;
+
+  roleMatch = (data.Roles!=null && data.CheckRole(user))
+    ? true : false;
+
+  verbMatch = (data.Verbs == null);
+  if (data.Verbs != null)
+    verbMatch = data.CheckVerb (verb);
+
+  if ((userMatch || roleMatch) && verbMatch)
+    return data.Allow;
+}