Menu
▾
▴
Re: [Exist-development] xmldb:get-child-collections() and xmldb:get-child-resources() is failing to check to see if the current user has permissions to read the child collection/resource before returning it in the sequence
Hello,
I did check on linux box, the result quite simple, read permission
required to see metadata.
In your example: you have access, because you have read permission (see
last 'r').
--
Cheers,
Dmitriy Shabanov
On Fri, 2010-08-27 at 14:20 -0500, Loren Cahlander wrote:
> /tmp's permissions are:
>
>
> > drwxrwxrwt 9 root wheel 306 Aug 27 12:40 .
>
>
>
> and /'s permissions are:
>
>
> > drwxr-xr-x@ 6 root wheel 204 Dec 10 2009 ..
>
>
>
>
>
> lorens-mac:tmp lcahlander$ groups
> staff com.apple.sharepoint.group.3 _developer _lpoperator _lpadmin
> _appserveradm admin _appserverusr localaccounts everyone
> com.apple.access_screensharing com.apple.sharepoint.group.2
> com.apple.sharepoint.group.1
>
>
> I am also thinking that we can remove any security check on
> getCreationTime(), getLastModificationTime() and getContentLength()
> due to the fact that you need to have read permission on the
> collection to get to the resource. All permission validation for the
> metadata on the resource has already happened. We only need to check
> the permissions for the various methods accessing the content of the
> resource.
>
>
>
>
> On Aug 27, 2010, at 12:54 PM, Dmitriy Shabanov wrote:
>
> > Can you show tmp's permissions & your groups?
> >
> > On Fri, Aug 27, 2010 at 10:45 PM, Loren Cahlander
> > <lor...@gm...> wrote:
> > Here is what I mean with an example under Mac OS X (The same
> > thing will work under Linux):
> >
> >
> > lorens-mac:tmp lcahlander$ ls -al
> > total 8
> > drwxrwxrwt 9 root wheel 306 Aug 27 12:40 .
> > drwxr-xr-x@ 6 root wheel 204 Dec 10 2009 ..
> > -rw-r--r-- 1 lcahlander wheel 0 Aug 27
> > 11:35 .yjp_ide51928
> > srwxr-xr-x 1 lcahlander wheel 0 Aug 26 23:15 icssuis501
> > drwx------ 3 lcahlander wheel 102 Aug 26 23:14
> > launch-Lk9wGt
> > drwx------ 3 lcahlander wheel 102 Aug 26 23:14
> > launch-qXSOwK
> > drwx------ 3 lcahlander wheel 102 Aug 26 23:14
> > launch-y3HLPq
> > drwx------ 3 lcahlander wheel 102 Aug 26 23:14
> > launchd-131.SHiPK0
> > -rwx------ 1 root wheel 36 Aug 27 12:40 noread.txt
> > lorens-mac:tmp lcahlander$ who am i
> > lcahlander ttys000 Aug 27 12:39
> > lorens-mac:tmp lcahlander$ cat noread.txt
> > cat: noread.txt: Permission denied
> > lorens-mac:tmp lcahlander$
> >
> >
> > You can see that I am not running as root. The listing of
> > the contents of /tmp shows all of the metadata about the
> > contents of /tmp, but I do not have read access
> > to /tmp/noread.txt which is evident when I try to cat the
> > file.
> >
> > On Aug 27, 2010, at 12:28 PM, Loren Cahlander wrote:
> >
> > > When I was thinking through this problem (some of it
> > > during sleeping), I was thinking that this original
> > > statement was wrong. If the user has read access to a
> > > collection, then he/she can see the listing of the
> > > collections and resources within the collection. The
> > > problem that the WebDAV client was encountering was
> > > accessing the creation date, last modified date and the
> > > size of the resource when the user does not have read
> > > access to the resource. This is wrong. If the user has
> > > read access to the parent collection and not to the
> > > resource being listed, then the user should have access to
> > > the creation date, last modified date and the size of the
> > > resource but no to the contents of the resource.
> > >
> > >
> > >
> > >
> > > In org.exist.xmldb.LocalXMLResource:
> > >
> > >
> > > The following:
> > >
> > >
> > > public Date getCreationTime() throws XMLDBException {
> > > DBBroker broker = null;
> > > try {
> > > broker = pool.get(user);
> > > DocumentImpl document = getDocument(broker, Lock.NO_LOCK);
> > > if (!document.getPermissions().validate(user,
> > > Permission.READ))
> > > throw new XMLDBException(ErrorCodes.PERMISSION_DENIED,
> > > "permission denied to read resource");
> > > return new Date(document.getMetadata().getCreated());
> > > } catch (EXistException e) {
> > > throw new XMLDBException(ErrorCodes.UNKNOWN_ERROR,
> > > e.getMessage(),
> > > e);
> > > } finally {
> > > pool.release(broker);
> > > }
> > > }
> > >
> > >
> > > public Date getLastModificationTime() throws
> > > XMLDBException {
> > > DBBroker broker = null;
> > > try {
> > > broker = pool.get(user);
> > > DocumentImpl document = getDocument(broker, Lock.NO_LOCK);
> > > if (!document.getPermissions().validate(user,
> > > Permission.READ))
> > > throw new XMLDBException(ErrorCodes.PERMISSION_DENIED,
> > > "permission denied to read resource");
> > > return new Date(document.getMetadata().getLastModified());
> > > } catch (EXistException e) {
> > > throw new XMLDBException(ErrorCodes.UNKNOWN_ERROR,
> > > e.getMessage(),
> > > e);
> > > } finally {
> > > pool.release(broker);
> > > }
> > > }
> > >
> > > /* (non-Javadoc)
> > > * @see org.exist.xmldb.EXistResource#getContentLength()
> > > */
> > > public int getContentLength() throws XMLDBException {
> > > DBBroker broker = null;
> > > try {
> > > broker = pool.get(user);
> > > DocumentImpl document = getDocument(broker, Lock.NO_LOCK);
> > > if (!document.getPermissions().validate(user,
> > > Permission.READ))
> > > throw new XMLDBException(ErrorCodes.PERMISSION_DENIED,
> > > "permission denied to read resource");
> > > return document.getContentLength();
> > > } catch (EXistException e) {
> > > throw new XMLDBException(ErrorCodes.UNKNOWN_ERROR,
> > > e.getMessage(),
> > > e);
> > > } finally {
> > > pool.release(broker);
> > > }
> > > }
> > >
> > >
> > > To:
> > >
> > >
> > >
> > >
> > > public Date getCreationTime() throws XMLDBException {
> > > DBBroker broker = null;
> > > try {
> > > LocalCollection parent =
> > > (LocalCollection)getParentCollection();
> > > if (!
> > > parent.getCollection().getPermissions().validate(user, Permission.READ)) {
> > > throw new
> > > XMLDBException(ErrorCodes.PERMISSION_DENIED, "permission denied to read resource");
> > >
> > > }
> > > broker = pool.get(user);
> > > DocumentImpl document = getDocument(broker, Lock.NO_LOCK);
> > > return new Date(document.getMetadata().getCreated());
> > > } catch (EXistException e) {
> > > throw new XMLDBException(ErrorCodes.UNKNOWN_ERROR,
> > > e.getMessage(),
> > > e);
> > > } finally {
> > > pool.release(broker);
> > > }
> > > }
> > >
> > >
> > > public Date getLastModificationTime() throws
> > > XMLDBException {
> > > DBBroker broker = null;
> > > try {
> > > LocalCollection parent =
> > > (LocalCollection)getParentCollection();
> > > if (!
> > > parent.getCollection().getPermissions().validate(user, Permission.READ)) {
> > > throw new
> > > XMLDBException(ErrorCodes.PERMISSION_DENIED, "permission denied to read resource");
> > >
> > > }
> > > broker = pool.get(user);
> > > DocumentImpl document = getDocument(broker, Lock.NO_LOCK);
> > > return new Date(document.getMetadata().getLastModified());
> > > } catch (EXistException e) {
> > > throw new XMLDBException(ErrorCodes.UNKNOWN_ERROR,
> > > e.getMessage(),
> > > e);
> > > } finally {
> > > pool.release(broker);
> > > }
> > > }
> > >
> > > /* (non-Javadoc)
> > > * @see org.exist.xmldb.EXistResource#getContentLength()
> > > */
> > > public int getContentLength() throws XMLDBException {
> > > DBBroker broker = null;
> > > try {
> > > LocalCollection parent =
> > > (LocalCollection)getParentCollection();
> > > if (!
> > > parent.getCollection().getPermissions().validate(user, Permission.READ)) {
> > > throw new
> > > XMLDBException(ErrorCodes.PERMISSION_DENIED, "permission denied to read resource");
> > >
> > > }
> > > broker = pool.get(user);
> > > DocumentImpl document = getDocument(broker, Lock.NO_LOCK);
> > > return document.getContentLength();
> > > } catch (EXistException e) {
> > > throw new XMLDBException(ErrorCodes.UNKNOWN_ERROR,
> > > e.getMessage(),
> > > e);
> > > } finally {
> > > pool.release(broker);
> > > }
> > > }
> > >
> > >
> > > The same problem exists
> > > in org.exist.xmldb.LocalBinaryResource. If I get the
> > > community buy in, then I will go ahead and make this
> > > change to these two source files.
> > >
> > >
> > > This would match our documentation on permissions:
> > >
> > >
> > > http://exist-db.org/security.html#permissions
> > >
> > >
> > >
> > >
> > > Loren
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Aug 26, 2010, at 04:34 PM, Loren Cahlander wrote:
> > >
> > > > Hello folks,
> > > >
> > > >
> > > > I found a security hole in the XMLDB function module
> > > > while trying to lock down the WebDAV access so that
> > > > guest cannot see the database contents. I removed the
> > > > rwu from other/world on all resources (rwurwu---) and am
> > > > getting the following while trying to see
> > > > http://localhost:8080/exist/webdav/db/cms as guest:
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > org.exist.xquery.XPathException: Failed to retrieve
> > > > creation date: permission denied to read resource [at
> > > > line 56, column 36]
> > > > In function:
> > > > f:format-dateTime(xs:dateTime)
> > > > [56:18:jar:file:/home/exist/exist/exist-optional.jar!/org/exist/http/webdav/methods/collection.xq]
> > > > f:display-child-resources(xs:string)
> > > > [96:14:jar:file:/home/exist/exist/exist-optional.jar!/org/exist/http/webdav/methods/collection.xq]
> > > >
> > > >
> > > >
> > > >
> > > > The content of the function in collection.xq is:
> > > >
> > > >
> > > > declare function f:display-child-resources($collection
> > > > as xs:string)
> > > > as element()* {
> > > > for $child in xdb:get-child-resources($collection)
> > > > order by $child
> > > > return
> > > > <tr>
> > > > <td><a target="_new"
> > > > href="{$uri}/{$child}">{$child}</a></td>
> > > > <td
> > > > class="perm">{xdb:permissions-to-string(xdb:get-permissions($collection, $child))}</td>
> > > > <td>{xdb:get-owner($collection,
> > > > $child)}</td>
> > > > <td>{xdb:get-group($collection,
> > > > $child)}</td>
> > > >
> > > > <td>{f:format-dateTime(xdb:created($collection,
> > > > $child))}</td>
> > > >
> > > > <td>{f:format-dateTime(xdb:last-modified($collection,
> > > > $child))}</td>
> > > > <td>{fn:ceiling(xdb:size($collection,
> > > > $child) div 1024)}</td>
> > > > </tr>
> > > > };
> > > >
> > > >
> > > > The xdb:get-child-resources($collection) should only
> > > > return the resources that the current user has read
> > > > access to. Here is the content of the method in
> > > > org.exist.xquery.functions.xmldb.XMLDBGetChildResources
> > > >
> > > >
> > > > public Sequence evalWithCollection(Collection
> > > > collection, Sequence[] args, Sequence contextSequence)
> > > > throws XPathException {
> > > > ValueSequence result = new ValueSequence();
> > > > try {
> > > > String[] collections = collection.listResources();
> > > > for(int i = 0; i < collections.length; i++) {
> > > > //TODO: Add validating read permission against the
> > > > current user
> > > > result.add(new StringValue(collections[i]));
> > > > }
> > > > return result;
> > > > } catch (XMLDBException e) {
> > > > throw new XPathException(this, "Failed to retrieve child
> > > > resources", e);
> > > > }
> > > > }
> > > >
> > > >
> > > > org.exist.xquery.functions.xmldb.XMLDBGetChildCollections has the same issue:
> > > >
> > > >
> > > > public Sequence evalWithCollection(Collection
> > > > collection, Sequence[] args, Sequence contextSequence)
> > > > throws XPathException {
> > > >
> > > > ValueSequence result = new ValueSequence();
> > > > try {
> > > > String[] collections =
> > > > collection.listChildCollections();
> > > > for(int i = 0; i < collections.length; i++) {
> > > > //TODO: Add validating read permission against the
> > > > current user
> > > > result.add(new StringValue(collections[i]));
> > > > }
> > > > return result;
> > > > } catch (XMLDBException e) {
> > > > throw new XPathException(this, "Failed to retrieve child
> > > > collections", e);
> > > > }
> > > > }
|
