aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Macdonald2012-06-15 13:06:41 (EDT)
committerMark Macdonald2012-10-29 15:06:30 (EDT)
commitdaa3b276ee4104a804442428bd8556b28e91e769 (patch)
treee035efee9f08a8d07a8c3253bc20f450d68c8af6
parent54ff3170d064113d1a2b53211fce8f33704d17b9 (diff)
downloadorg.eclipse.orion.server-daa3b276ee4104a804442428bd8556b28e91e769.zip
org.eclipse.orion.server-daa3b276ee4104a804442428bd8556b28e91e769.tar.gz
org.eclipse.orion.server-daa3b276ee4104a804442428bd8556b28e91e769.tar.bz2
Bug 382760 - Site can expose other users' filesv20121029-1906
-rw-r--r--bundles/org.eclipse.orion.server.hosting/src/org/eclipse/orion/internal/server/hosting/HostedSiteServlet.java14
-rw-r--r--tests/org.eclipse.orion.server.tests/src/org/eclipse/orion/server/tests/AbstractServerTest.java9
-rw-r--r--tests/org.eclipse.orion.server.tests/src/org/eclipse/orion/server/tests/servlets/site/HostingTest.java69
3 files changed, 82 insertions, 10 deletions
diff --git a/bundles/org.eclipse.orion.server.hosting/src/org/eclipse/orion/internal/server/hosting/HostedSiteServlet.java b/bundles/org.eclipse.orion.server.hosting/src/org/eclipse/orion/internal/server/hosting/HostedSiteServlet.java
index 6ca9806..ae81454 100644
--- a/bundles/org.eclipse.orion.server.hosting/src/org/eclipse/orion/internal/server/hosting/HostedSiteServlet.java
+++ b/bundles/org.eclipse.orion.server.hosting/src/org/eclipse/orion/internal/server/hosting/HostedSiteServlet.java
@@ -248,11 +248,20 @@ public class HostedSiteServlet extends OrionServlet {
String userId = site.getUserId();
String workspaceId = site.getWorkspaceId();
String workspaceUri = WORKSPACE_SERVLET_ALIAS + "/" + workspaceId; //$NON-NLS-1$
+ String fileURI = FILE_SERVLET_ALIAS + path.toString();
boolean allow = false;
// Check that user who launched the hosted site really has access to the workspace
try {
if (AuthorizationService.checkRights(userId, workspaceUri, "GET")) { //$NON-NLS-1$
- allow = true;
+ boolean fileMatch = AuthorizationService.checkRights(userId, fileURI, "GET"); //$NON-NLS-1$
+ boolean dirMatch = fileURI.endsWith("/") && AuthorizationService.checkRights(userId, fileURI, "GET"); //$NON-NLS-1$ //$NON-NLS-2$
+ if (fileMatch || dirMatch) {
+ allow = true;
+ } else {
+ handleException(resp, new ServerStatus(IStatus.ERROR, HttpServletResponse.SC_FORBIDDEN, NLS.bind("No rights to access {0}", fileURI), null));
+ }
+ } else {
+ handleException(resp, new ServerStatus(IStatus.ERROR, HttpServletResponse.SC_FORBIDDEN, NLS.bind("No rights to access {0}", workspaceUri), null));
}
} catch (JSONException e) {
throw new ServletException(e);
@@ -280,9 +289,6 @@ public class HostedSiteServlet extends OrionServlet {
addEditHeaders(resp, site, path);
addContentTypeHeader(resp, file.getName());
}
- } else {
- String msg = NLS.bind("No rights to access {0}", workspaceUri);
- handleException(resp, new ServerStatus(IStatus.ERROR, HttpServletResponse.SC_FORBIDDEN, msg, null));
}
return true;
}
diff --git a/tests/org.eclipse.orion.server.tests/src/org/eclipse/orion/server/tests/AbstractServerTest.java b/tests/org.eclipse.orion.server.tests/src/org/eclipse/orion/server/tests/AbstractServerTest.java
index f7dabdb..d483103 100644
--- a/tests/org.eclipse.orion.server.tests/src/org/eclipse/orion/server/tests/AbstractServerTest.java
+++ b/tests/org.eclipse.orion.server.tests/src/org/eclipse/orion/server/tests/AbstractServerTest.java
@@ -10,13 +10,18 @@
*******************************************************************************/
package org.eclipse.orion.server.tests;
-import com.meterware.httpunit.WebRequest;
import java.io.UnsupportedEncodingException;
+
import junit.framework.Assert;
+
import org.eclipse.core.runtime.CoreException;
import org.eclipse.orion.internal.server.servlets.workspace.authorization.AuthorizationService;
import org.eclipse.orion.server.core.resources.Base64;
-import org.eclipse.orion.server.useradmin.*;
+import org.eclipse.orion.server.useradmin.IOrionCredentialsService;
+import org.eclipse.orion.server.useradmin.User;
+import org.eclipse.orion.server.useradmin.UserServiceHelper;
+
+import com.meterware.httpunit.WebRequest;
/**
* Base class for all Orion server tests. Providers helper methods common
diff --git a/tests/org.eclipse.orion.server.tests/src/org/eclipse/orion/server/tests/servlets/site/HostingTest.java b/tests/org.eclipse.orion.server.tests/src/org/eclipse/orion/server/tests/servlets/site/HostingTest.java
index 7ddf1f8..075ecd3 100644
--- a/tests/org.eclipse.orion.server.tests/src/org/eclipse/orion/server/tests/servlets/site/HostingTest.java
+++ b/tests/org.eclipse.orion.server.tests/src/org/eclipse/orion/server/tests/servlets/site/HostingTest.java
@@ -7,11 +7,16 @@ import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URI;
import java.net.URISyntaxException;
+import java.net.URL;
import java.net.URLEncoder;
+import org.eclipse.core.runtime.CoreException;
+import org.eclipse.core.runtime.IPath;
import org.eclipse.core.runtime.Path;
import org.eclipse.orion.internal.server.servlets.ProtocolConstants;
import org.eclipse.orion.internal.server.servlets.site.SiteConfigurationConstants;
+import org.eclipse.orion.internal.server.servlets.workspace.authorization.AuthorizationService;
+import org.eclipse.orion.server.useradmin.User;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;
@@ -187,6 +192,55 @@ public class HostingTest extends CoreSiteTest {
}
@Test
+ // Test for https://bugs.eclipse.org/bugs/show_bug.cgi?id=382760
+ public void testDisallowedSiteAccess() throws SAXException, IOException, JSONException, URISyntaxException, CoreException {
+ User userBObject = createUser("userB", "userB");
+ String userB = userBObject.getLogin();
+
+ // User "test": create file in test's workspace
+ final String filename = "foo.html";
+ final String fileContent = "<html><body>This is a test file</body></html>";
+ WebResponse createdFile = createFileOnServer(filename, fileContent);
+ URL fileLocation = createdFile.getURL();
+ IPath filepath = new Path(fileLocation.getPath());
+ filepath = filepath.removeFirstSegments(new Path(FILE_SERVLET_LOCATION).segmentCount()); // chop off leading /file/
+ filepath = filepath.removeLastSegments(1); // chop off trailing /foo.html
+ filepath = filepath.makeAbsolute();
+ filepath = filepath.addTrailingSeparator();
+ String parentFolder = filepath.toString();
+
+ // User B: Create a workspace that User B has access to
+ WebResponse createWorkspaceResp = basicCreateWorkspace("userB");
+ String bWorkspaceId = new JSONObject(createWorkspaceResp.getText()).getString(ProtocolConstants.KEY_ID);
+ AuthorizationService.addUserRight(userBObject.getUid(), createWorkspaceResp.getURL().getPath());
+ AuthorizationService.addUserRight(userBObject.getUid(), createWorkspaceResp.getURL().getPath() + "/*");
+
+ // User B: create a site against B's workspace that exposes a file in test's workspace
+ final String siteName = "My hosted site";
+ final String filePath = parentFolder; //"/" + filename;
+ final String mountAt = "/"; //"/file.html";
+ final JSONArray mappings = makeMappings(new String[][] {{mountAt, filePath}});
+
+ WebRequest createSiteReq = getCreateSiteRequest(siteName, bWorkspaceId, mappings, null);
+ setAuthentication(createSiteReq, userB, userB);
+ WebResponse createSiteResp = webConversation.getResponse(createSiteReq);
+ assertEquals(HttpURLConnection.HTTP_CREATED, createSiteResp.getResponseCode());
+ JSONObject siteObject = new JSONObject(createSiteResp.getText());
+
+ // User B: Start the site
+ final String siteLocation = siteObject.getString(ProtocolConstants.KEY_LOCATION);//createSiteResp.getHeaderField("Location");
+ siteObject = startSite(siteLocation, userB, userB);
+
+ final JSONObject hostingStatus = siteObject.getJSONObject(SiteConfigurationConstants.KEY_HOSTING_STATUS);
+ final String hostedURL = hostingStatus.getString(SiteConfigurationConstants.KEY_HOSTING_STATUS_URL);
+
+ // Attempt to access file on user B's site, should fail
+ WebRequest getFileReq = new GetMethodWebRequest(hostedURL + mountAt);
+ WebResponse getFileResp = webConversation.getResponse(getFileReq);
+ assertEquals(HttpURLConnection.HTTP_FORBIDDEN, getFileResp.getResponseCode());
+ }
+
+ @Test
public void testRemoteProxyRequest() throws SAXException, IOException, JSONException, URISyntaxException {
final String siteName = "My remote hosting site";
final String remoteRoot = "/remoteWeb", remotePrefPath = "/remotePref", remoteFilePath = "/remoteFile";
@@ -248,10 +302,12 @@ public class HostingTest extends CoreSiteTest {
* @throws URISyntaxException
* @returns The JSON representation of the started site.
*/
- private JSONObject startSite(String siteLocation) throws JSONException, IOException, SAXException, URISyntaxException {
+ private JSONObject startSite(String siteLocation, String user, String password) throws JSONException, IOException, SAXException, URISyntaxException {
JSONObject hostingStatus = new JSONObject();
hostingStatus.put(SiteConfigurationConstants.KEY_HOSTING_STATUS_STATUS, "started");
WebRequest launchSiteReq = getUpdateSiteRequest(siteLocation, null, null, null, null, hostingStatus);
+ if (user != null && password != null)
+ setAuthentication(launchSiteReq, user, password);
WebResponse launchSiteResp = webConversation.getResponse(launchSiteReq);
assertEquals(launchSiteResp.getText(), HttpURLConnection.HTTP_OK, launchSiteResp.getResponseCode());
@@ -262,6 +318,10 @@ public class HostingTest extends CoreSiteTest {
return siteObject;
}
+ private JSONObject startSite(String siteLocation) throws JSONException, IOException, SAXException, URISyntaxException {
+ return startSite(siteLocation, null, null);
+ }
+
/**
* Stops the site at <code>siteLocation</code>, and asserts that it was stopped.
* @throws URISyntaxException
@@ -284,8 +344,8 @@ public class HostingTest extends CoreSiteTest {
* @param filename
* @param fileContent
*/
- private void createFileOnServer(String filename, String fileContent) throws SAXException, IOException, JSONException, URISyntaxException {
- createFileOnServer("/", filename, fileContent);
+ private WebResponse createFileOnServer(String filename, String fileContent) throws SAXException, IOException, JSONException, URISyntaxException {
+ return createFileOnServer("/", filename, fileContent);
}
private void createDirectoryOnServer(String dirname) throws SAXException, IOException, JSONException {
@@ -295,7 +355,7 @@ public class HostingTest extends CoreSiteTest {
assertEquals(HttpURLConnection.HTTP_CREATED, createDirResp.getResponseCode());
}
- private void createFileOnServer(String fileServletLocation, String filename, String fileContent) throws SAXException, IOException, JSONException, URISyntaxException {
+ private WebResponse createFileOnServer(String fileServletLocation, String filename, String fileContent) throws SAXException, IOException, JSONException, URISyntaxException {
webConversation.setExceptionsThrownOnErrorStatus(false);
WebRequest createFileReq = getPostFilesRequest(fileServletLocation, getNewFileJSON(filename).toString(), filename);
WebResponse createFileResp = webConversation.getResponse(createFileReq);
@@ -303,6 +363,7 @@ public class HostingTest extends CoreSiteTest {
createFileReq = getPutFileRequest(createFileResp.getHeaderField("Location"), fileContent);
createFileResp = webConversation.getResponse(createFileReq);
assertEquals(HttpURLConnection.HTTP_OK, createFileResp.getResponseCode());
+ return createFileResp;
}
private WebRequest createSetPreferenceRequest(String location, String key, String value) {