Menu
▾
▴
Re: [Exist-development] xmldb:get-child-collections() and xmldb:get-child-resources() is failing to check to see if the current user has permissions to read the child collection/resource before returning it in the sequence
Can you show tmp's permissions & your groups?
On Fri, Aug 27, 2010 at 10:45 PM, Loren Cahlander <lor...@gm...
> wrote:
> Here is what I mean with an example under Mac OS X (The same thing will
> work under Linux):
>
> lorens-mac:tmp lcahlander$ ls -al
> total 8
> drwxrwxrwt 9 root wheel 306 Aug 27 12:40 .
> drwxr-xr-x@ 6 root wheel 204 Dec 10 2009 ..
> -rw-r--r-- 1 lcahlander wheel 0 Aug 27 11:35 .yjp_ide51928
> srwxr-xr-x 1 lcahlander wheel 0 Aug 26 23:15 icssuis501
> drwx------ 3 lcahlander wheel 102 Aug 26 23:14 launch-Lk9wGt
> drwx------ 3 lcahlander wheel 102 Aug 26 23:14 launch-qXSOwK
> drwx------ 3 lcahlander wheel 102 Aug 26 23:14 launch-y3HLPq
> drwx------ 3 lcahlander wheel 102 Aug 26 23:14 launchd-131.SHiPK0
> *-rwx------ 1 root wheel 36 Aug 27 12:40 noread.txt*
> lorens-mac:tmp lcahlander$ who am i
> lcahlander ttys000 Aug 27 12:39
> *lorens-mac:tmp lcahlander$ cat noread.txt *
> *cat: noread.txt: Permission denied*
> lorens-mac:tmp lcahlander$
>
> You can see that I am not running as root. The listing of the contents of
> /tmp shows all of the metadata about the contents of */tmp*, but I do not
> have read access to */tmp/noread.txt* which is evident when I try to cat
> the file.
>
> On Aug 27, 2010, at 12:28 PM, Loren Cahlander wrote:
>
> When I was thinking through this problem (some of it during sleeping), I
> was thinking that this original statement was wrong. If the user has read
> access to a collection, then he/she can see the listing of the collections
> and resources within the collection. The problem that the WebDAV client was
> encountering was accessing the creation date, last modified date and the
> size of the resource when the user does not have read access to the
> resource. This is wrong. If the user has read access to the parent
> collection and not to the resource being listed, then the user should have
> access to the creation date, last modified date and the size of the resource
> but no to the contents of the resource.
>
>
> In org.exist.xmldb.LocalXMLResource:
>
> The following:
>
> public Date getCreationTime() throws XMLDBException {
> DBBroker broker = null;
> try {
> broker = pool.get(user);
> DocumentImpl document = getDocument(broker, Lock.NO_LOCK);
> * **if (!document.getPermissions().validate(user, Permission.READ))*
> * **throw new XMLDBException(ErrorCodes.PERMISSION_DENIED,*
> * **"permission denied to read resource");*
> return new Date(document.getMetadata().getCreated());
> } catch (EXistException e) {
> throw new XMLDBException(ErrorCodes.UNKNOWN_ERROR, e.getMessage(),
> e);
> } finally {
> pool.release(broker);
> }
> }
>
> public Date getLastModificationTime() throws XMLDBException {
> DBBroker broker = null;
> try {
> broker = pool.get(user);
> DocumentImpl document = getDocument(broker, Lock.NO_LOCK);
> * **if (!document.getPermissions().validate(user, Permission.READ))*
> * **throw new XMLDBException(ErrorCodes.PERMISSION_DENIED,*
> * **"permission denied to read resource");*
> return new Date(document.getMetadata().getLastModified());
> } catch (EXistException e) {
> throw new XMLDBException(ErrorCodes.UNKNOWN_ERROR, e.getMessage(),
> e);
> } finally {
> pool.release(broker);
> }
> }
> /* (non-Javadoc)
> * @see org.exist.xmldb.EXistResource#getContentLength()
> */
> public int getContentLength() throws XMLDBException {
> DBBroker broker = null;
> try {
> broker = pool.get(user);
> DocumentImpl document = getDocument(broker, Lock.NO_LOCK);
> * **if (!document.getPermissions().validate(user, Permission.READ))*
> * **throw new XMLDBException(ErrorCodes.PERMISSION_DENIED,*
> * **"permission denied to read resource");*
> return document.getContentLength();
> } catch (EXistException e) {
> throw new XMLDBException(ErrorCodes.UNKNOWN_ERROR, e.getMessage(),
> e);
> } finally {
> pool.release(broker);
> }
> }
>
> To:
>
>
> public Date getCreationTime() throws XMLDBException {
> DBBroker broker = null;
> try {
>
> * LocalCollection parent =
> (LocalCollection)getParentCollection();*
>
> * if (!parent.getCollection().getPermissions().validate(user,
> Permission.READ)) {*
>
> * throw new XMLDBException(ErrorCodes.PERMISSION_DENIED,
> "permission denied to read resource");*
>
> * *
>
> * }*
>
> broker = pool.get(user);
> DocumentImpl document = getDocument(broker, Lock.NO_LOCK);
> return new Date(document.getMetadata().getCreated());
> } catch (EXistException e) {
> throw new XMLDBException(ErrorCodes.UNKNOWN_ERROR, e.getMessage(),
> e);
> } finally {
> pool.release(broker);
> }
> }
>
> public Date getLastModificationTime() throws XMLDBException {
> DBBroker broker = null;
> try {
>
> * LocalCollection parent =
> (LocalCollection)getParentCollection();*
>
> * if (!parent.getCollection().getPermissions().validate(user,
> Permission.READ)) {*
>
> * throw new XMLDBException(ErrorCodes.PERMISSION_DENIED,
> "permission denied to read resource");*
>
> * *
>
> * }*
>
> broker = pool.get(user);
> DocumentImpl document = getDocument(broker, Lock.NO_LOCK);
> return new Date(document.getMetadata().getLastModified());
> } catch (EXistException e) {
> throw new XMLDBException(ErrorCodes.UNKNOWN_ERROR, e.getMessage(),
> e);
> } finally {
> pool.release(broker);
> }
> }
> /* (non-Javadoc)
> * @see org.exist.xmldb.EXistResource#getContentLength()
> */
> public int getContentLength() throws XMLDBException {
> DBBroker broker = null;
> try {
>
> * LocalCollection parent =
> (LocalCollection)getParentCollection();*
>
> * if (!parent.getCollection().getPermissions().validate(user,
> Permission.READ)) {*
>
> * throw new XMLDBException(ErrorCodes.PERMISSION_DENIED,
> "permission denied to read resource");*
>
> * *
>
> * }*
>
> broker = pool.get(user);
> DocumentImpl document = getDocument(broker, Lock.NO_LOCK);
> return document.getContentLength();
> } catch (EXistException e) {
> throw new XMLDBException(ErrorCodes.UNKNOWN_ERROR, e.getMessage(),
> e);
> } finally {
> pool.release(broker);
> }
> }
>
> The same problem exists in org.exist.xmldb.LocalBinaryResource. If I get
> the community buy in, then I will go ahead and make this change to these two
> source files.
>
> This would match our documentation on permissions:
>
> http://exist-db.org/security.html#permissions
>
>
> Loren
>
>
>
>
>
>
> On Aug 26, 2010, at 04:34 PM, Loren Cahlander wrote:
>
> Hello folks,
>
> I found a security hole in the XMLDB function module while trying to lock
> down the WebDAV access so that guest cannot see the database contents. I
> removed the rwu from other/world on all resources (rwurwu---) and am getting
> the following while trying to see
> http://localhost:8080/exist/webdav/db/cms as guest:
>
>
>
> *org.exist.xquery.XPathException: Failed to retrieve creation date:
> permission denied to read resource [at line 56, column 36]*
> *In function:*
> * **f:format-dateTime(xs:dateTime)
> [56:18:jar:file:/home/exist/exist/exist-optional.jar!/org/exist/http/webdav/methods/collection.xq]
> *
> * **f:display-child-resources(xs:string)
> [96:14:jar:file:/home/exist/exist/exist-optional.jar!/org/exist/http/webdav/methods/collection.xq]
> *
>
>
> The content of the function in collection.xq is:
>
> declare function f:display-child-resources($collection as xs:string)
> as element()* {
> for $child in xdb:get-child-resources($collection)
> order by $child
> return
> <tr>
> <td><a target="_new" href="{$uri}/{$child}">{$child}</a></td>
> <td
> class="perm">{xdb:permissions-to-string(xdb:get-permissions($collection,
> $child))}</td>
> <td>{xdb:get-owner($collection, $child)}</td>
> <td>{xdb:get-group($collection, $child)}</td>
> * <td>{f:format-dateTime(xdb:created($collection,
> $child))}</td>*
> <td>{f:format-dateTime(xdb:last-modified($collection,
> $child))}</td>
> <td>{fn:ceiling(xdb:size($collection, $child) div 1024)}</td>
> </tr>
> };
>
> The xdb:get-child-resources($collection) should only return the resources
> that the current user has read access to. Here is the content of the method
> in org.exist.xquery.functions.xmldb.XMLDBGetChildResources
>
> public Sequence evalWithCollection(Collection collection, Sequence[] args,
> Sequence contextSequence)
> throws XPathException {
> ValueSequence result = new ValueSequence();
> try {
> String[] collections = collection.listResources();
> for(int i = 0; i < collections.length; i++) {
> *//TODO: Add validating read permission against the current user*
> result.add(new StringValue(collections[i]));
> }
> return result;
> } catch (XMLDBException e) {
> throw new XPathException(this, "Failed to retrieve child resources", e);
> }
> }
>
> org.exist.xquery.functions.xmldb.XMLDBGetChildCollections has the same
> issue:
>
> public Sequence evalWithCollection(Collection collection, Sequence[] args,
> Sequence contextSequence)
> throws XPathException {
> ValueSequence result = new ValueSequence();
> try {
> String[] collections = collection.listChildCollections();
> for(int i = 0; i < collections.length; i++) {
> *//TODO: Add validating read permission against the current user*
> result.add(new StringValue(collections[i]));
> }
> return result;
> } catch (XMLDBException e) {
> throw new XPathException(this, "Failed to retrieve child collections", e);
> }
> }
>
>
>
>
>
> ------------------------------------------------------------------------------
> Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
> Be part of this innovative community and reach millions of netbook users
> worldwide. Take advantage of special opportunities to increase revenue and
> speed time-to-market. Join now, and jumpstart your future.
> http://p.sf.net/sfu/intel-atom-d2d
> _______________________________________________
> Exist-development mailing list
> Exi...@li...
> https://lists.sourceforge.net/lists/listinfo/exist-development
>
>
--
Dmitriy Shabanov
|
