[Mono-bugs] [Bug 60482][Blo] Changed - Critical bug in ASP.NET UrlAuthorization Module (beta 3)
bugzilla-daemon@bugzilla.ximian.com
bugzilla-daemon@bugzilla.ximian.com
Tue, 22 Jun 2004 21:47:50 -0400 (EDT)
Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.
Changed by davidandrewtaylor@hotmail.com.
http://bugzilla.ximian.com/show_bug.cgi?id=60482
--- shadow/60482 2004-06-22 20:59:49.000000000 -0400
+++ shadow/60482.tmp.3081 2004-06-22 21:47:50.000000000 -0400
@@ -10,13 +10,12 @@
Component: Sys.Web
AssignedTo: mono-bugs@ximian.com
ReportedBy: davidandrewtaylor@hotmail.com
QAContact: mono-bugs@ximian.com
TargetMilestone: ---
URL:
-Cc:
Summary: Critical bug in ASP.NET UrlAuthorization Module (beta 3)
Description of Problem:
There is a critical bug in the ASP.NET UrlAuthorization module in MONO
(tested in Beta 3). The bug is in the code "AuthorizationConfig.cs"
within the foreach statement inside the method "internal bool IsValidUser
@@ -133,6 +132,20 @@
the "roles" or a "users" attribute.
Please look at my code again, which I believe is correct. You can
see in my last line where I say "verb && (users || roles)".
+
+------- Additional Comments From davidandrewtaylor@hotmail.com 2004-06-22 21:47 -------
+I believe you could rewrite your latest version correctly like this:
+
+foreach (UserData data in list)
+{
+ if (data.Verbs != null && !data.CheckVerb (verb))
+ continue;
+
+ if ((data.Users!=null&&data.CheckUser(user.Identity.Name))
+ || (data.Roles!=null&&data.CheckRole(user)))
+ return data.Allow;
+}
+