[Mono-bugs] [Bug 467221] [PATCH] asp.net security trimming / authorization not working

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Sat Nov 20 15:04:08 EST 2010



Mike Morano <mmorano at mikeandwan.us> changed:

           What    |Removed                     |Added
             Status|REOPENED                    |ASSIGNED
            Summary|asp.net security trimming / |[PATCH] asp.net security
                   |authorization not working   |trimming / authorization
                   |                            |not working

--- Comment #11 from Mike Morano <mmorano at mikeandwan.us> 2010-11-20 20:04:04 UTC ---

I have finally found a bit of time to work on this, and have a more
conservative fix to the issue, and am running this now on my current site with
expected behavior.  When the sitemap is looking for an applicable node for
security trimming, it will call the new method which can return a configuration
location that represents the most specific path configured for the requested
url.  I have not observed any negative side effects of this code with my

diff --git
index b8a3df7..6f80617 100644
--- a/mcs/class/System.Configuration/System.Configuration/Configuration.cs
+++ b/mcs/class/System.Configuration/System.Configuration/Configuration.cs
@@ -100,7 +100,7 @@ namespace System.Configuration {
                        if (relativePath.StartsWith (relConfigPath,
                                relativePath = relativePath.Substring

-                       ConfigurationLocation loc = Locations.Find
+                       ConfigurationLocation loc = Locations.FindBest
                        if (loc == null)
                                return parentConfig;

diff --git
index c5a439b..b8f8ed3 100644
@@ -54,6 +54,37 @@ namespace System.Configuration {
                                        return loc;
                        return null;
+               internal ConfigurationLocation FindBest (string location)
+               {
+                       if(location == null)
+                               return null;
+                       ConfigurationLocation bestMatch = null;
+                       foreach (ConfigurationLocation loc in InnerList)
+                       {
+                               if(location.StartsWith(loc.Path,
+                               {
+                                       // ensure path based comparisons
consider full directory names (i.e. so 'admin' does not match an
'administration' path)
+                                       if(location.Length > loc.Path.Length &&
location[loc.Path.Length] != '/')
+                                       {
+                                               continue;
+                                       }
+                                       if(bestMatch == null)
+                                       {
+                                               bestMatch = loc;
+                                       }
+                                       else if(bestMatch.Path.Length <
+                                       {
+                                               bestMatch = loc;
+                                       }
+                               }
+                       }
+                       return bestMatch;
+               }

I believe there could be one other enhancement to this patch, which is not
included in the above.  For example, consider the following in a web.config:

<location path="admin">

<location path="admin/upload">
    <httpRuntime />

To determine the security settings of a file in the admin/upload path, you
would need to consider the setting in "admin", as this is the most specific
location that specifies the authorization rules.  I have not tested this, but
currently I might expect to see that "admin/upload" location would be used to
try and identify the authorization rule, but would not be defined there.  As
such, there could be a need to know the config section that is of interest as
part of this search, as it would need to return a configuration location that
contains the settings that are needed (in this example, the
system.web/authorization section).  Of course a data structure could be used to
track the different configured paths, but that looks like it would be quite an

Please let me know if you have any questions.



Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the mono-bugs mailing list