[Mono-bugs] [Bug 467221] asp.net security trimming / authorization not working

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Wed Sep 15 22:47:42 EDT 2010 

https://bugzilla.novell.com/show_bug.cgi?id=467221

https://bugzilla.novell.com/show_bug.cgi?id=467221#c10


Mike Morano <mmorano at mikeandwan.us> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P5 - None                   |P3 - Medium
            Version|2.6.x                       |2.8.x
   Target Milestone|2.6.x                       |2.8.x

--- Comment #10 from Mike Morano <mmorano at mikeandwan.us> 2010-09-16 02:47:38 UTC ---
Hi Marek,

I was wondering if you had any luck with the test site, and reproducing the
issue.  I've started trying to do a little digging to see if I could find
anything, and have noticed a couple things.

If I update the url in the sitemap to be "~/admin" rather than
"~/admin/index.aspx" then security trimming does seem to take hold.  based on
this, and looking through the code, the general path of interest the code seems
to take is:

WebConfigurationManager.LookUpLocation
    Configuration.FindLocationConfiguration
        ConfigurationLocationCollection.Find

I could see the relative path from the sitemap go through here, for example:
admin/index.aspx.  Of course, in the web.config, the location is defined with a
path="admin" so the string compare of "admin/index.aspx" will not match
"admin".  However, if I update the code to try to fall back for paths, this
seems to start to work (though I would expect this is not the right place for
the fix, the code below illustrates my point - and does trim in my test env):

in ConfigurationLocationCollection:

internal ConfigurationLocation Find (string location)
{
    // find the most specific location possible, and when the full path does
not match, fall back
    // to searching for path membership
    while(!string.IsNullOrEmpty(location))
    {
        foreach (ConfigurationLocation loc in InnerList)
        {
            if (String.Compare (loc.Path, location,
StringComparison.OrdinalIgnoreCase) == 0)
            {
                return loc;
            }
        }

        int idx = location.LastIndexOf("/");

        if(idx <= 0)
        {
            location = null;
        }
        else
        {
            location = location.Remove(idx);    
        }
    }
    return null;
}

Hope this helps, sorry I have next to no time to help out, I'm in quite a
different spot than a couple years ago...


All the best,
Mike

-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the mono-bugs mailing list