[Mono-bugs] [Bug 659791] New: Client Access Policy fails when multiple domains are in the allow from (e.g. http + https)

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Wed Dec 15 17:44:09 EST 2010 

https://bugzilla.novell.com/show_bug.cgi?id=659791

https://bugzilla.novell.com/show_bug.cgi?id=659791#c0


           Summary: Client Access Policy fails when multiple domains are
                    in the allow from (e.g. http + https)
    Classification: Mono
           Product: Mono: Class Libraries
           Version: 2.8.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P5 - None
         Component: System.Security
        AssignedTo: spouliot at novell.com
        ReportedBy: keenan.forbes at ni.com
         QAContact: mono-bugs at lists.ximian.com
          Found By: ---
           Blocker: ---


User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13

If you access a site that lists multiple domains in the allow from, the policy
will be rejected because there is only a single "Scheme" field in the AllowFrom
class. I'm not sure on the best fix, but perhaps Scheme should be turned into a
bitfield of allowable Schemes rather than a string.

In System.Net.Policy.ClientAccessPolicy.ReadAllowFromElement(), as each domain
is parsed, it overrides the previous parsed domains in the Scheme property.

Then in System.Net.Policy.AllowFrom.IsAllowed(), only the last Scheme is
checked against.

for example, consider a policy file like:

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
    <cross-domain-access>
        <policy>
            <allow-from http-request-headers="*">
                <domain uri="http://*" />
                <domain uri="https://*" />
            </allow-from>
            <grant-to>
                <resource path="/ts-1.0" include-subpaths="true" />
            </grant-to>
        </policy>
    </cross-domain-access>
</access-policy>

Then the Scheme will be set to "https" and "http" will be denied.

Reproducible: Always

Steps to Reproduce:
open up a web request to a server with multiple policies and you will get a
SecurityException. A publicly available one that I've been using is
"http://nobel.niwsc.com/ts-1.0/LVWSSysAdmin/GetAllUserServices" I've attached a
small test case that accesses this uri. I've been running it with the current
GIT version of Moonlight on linux. I included both a xap and the source code as
well as a Visual Studio solution used to build it. If you open up index.html
under Firefox with a current Moonlight plugin you'll see various
SecurityException errors on the console.
Actual Results:  
SecurityException

Expected Results:  
xml file containing "TimeServer"

I'd be happy to test and verify any patches since Moonlight can be a bit of a
hassle if you don't already have it set up. I'm a bit new to mono so I'm not
sure how to best produce a non-Moonlight example that enforces the client
access policy...

-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the mono-bugs mailing list