Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 345805

Summary:	orionhub.org site reveals email addresses
Product:	[ECD] Orion	Reporter:	Rick Leir <reclipsebugs>
Component:	Client	Assignee:	John Arthorne <john.arthorne>
Status:	RESOLVED FIXED	QA Contact:
Severity:	critical
Priority:	P1	CC:	bokowski
Version:	0.2
Target Milestone:	0.2
Hardware:	All
OS:	All
Whiteboard:

Description Rick Leir

2011-05-14 06:00:19 EDT

Build Identifier: none

The orionhub.org site reveals email addresses of many community members, and can be searched via Google. Look at:
http://orionhub.org/file/.metadata/.plugins/org.eclipse.orion.server.user.securestorage/user_store



Reproducible: Always

Steps to Reproduce:
1.Google your email address
2.click on the only result
3.

Comment 1 Denis Roy

2011-05-16 08:22:29 EDT

I've fixed this on Orionhub with some Apache rewriterules.  Thanks for reporting this.

Punting to the Orion team -- you can witness this on orion.eclipse.org:
http://orion.eclipse.org/file/.metadata/.plugins/org.eclipse.orion.server.user.securestorage/user_store

Also, browsing to /file/ also reveals a nice directory listing:
http://orion.eclipse.org/file/

Comment 2 Boris Bokowski

2011-05-16 09:07:31 EDT

Denis, could you please also block those URLs when going through orionhub.org:8080, without blocking port 8080 completely? Thanks!

Comment 3 John Arthorne

2011-05-16 09:09:33 EDT

This was opened up by our new "make all projects world readable" setting.

Comment 4 John Arthorne

2011-05-16 10:21:08 EDT

Fix and tests:

http://git.eclipse.org/c/e4/org.eclipse.orion.server.git/commit/?id=e307fe12df9c8ceac2eda2b0b5c662233b8ba866

I fixed this in two places. First, the authorization filter now forbids read access to the metadata even when "global read access" is enabled. Second, the File servlet itself forbids any kind of access to the metadata (GET/PUT/DELETE/POST).

Tests included for various permutations of metadata access.