[Mono-bugs] [Bug 467221] asp.net security trimming / authorization not working

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Wed Sep 15 22:47:42 EDT 2010



Mike Morano <mmorano at mikeandwan.us> changed:

           What    |Removed                     |Added
           Priority|P5 - None                   |P3 - Medium
            Version|2.6.x                       |2.8.x
   Target Milestone|2.6.x                       |2.8.x

--- Comment #10 from Mike Morano <mmorano at mikeandwan.us> 2010-09-16 02:47:38 UTC ---
Hi Marek,

I was wondering if you had any luck with the test site, and reproducing the
issue.  I've started trying to do a little digging to see if I could find
anything, and have noticed a couple things.

If I update the url in the sitemap to be "~/admin" rather than
"~/admin/index.aspx" then security trimming does seem to take hold.  based on
this, and looking through the code, the general path of interest the code seems
to take is:


I could see the relative path from the sitemap go through here, for example:
admin/index.aspx.  Of course, in the web.config, the location is defined with a
path="admin" so the string compare of "admin/index.aspx" will not match
"admin".  However, if I update the code to try to fall back for paths, this
seems to start to work (though I would expect this is not the right place for
the fix, the code below illustrates my point - and does trim in my test env):

in ConfigurationLocationCollection:

internal ConfigurationLocation Find (string location)
    // find the most specific location possible, and when the full path does
not match, fall back
    // to searching for path membership
        foreach (ConfigurationLocation loc in InnerList)
            if (String.Compare (loc.Path, location,
StringComparison.OrdinalIgnoreCase) == 0)
                return loc;

        int idx = location.LastIndexOf("/");

        if(idx <= 0)
            location = null;
            location = location.Remove(idx);    
    return null;

Hope this helps, sorry I have next to no time to help out, I'm in quite a
different spot than a couple years ago...

All the best,

Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the mono-bugs mailing list