| Summary: | orionhub.org site reveals email addresses | ||
|---|---|---|---|
| Product: | [ECD] Orion | Reporter: | Rick Leir <reclipsebugs> |
| Component: | Client | Assignee: | John Arthorne <john.arthorne> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | critical | ||
| Priority: | P1 | CC: | bokowski |
| Version: | 0.2 | ||
| Target Milestone: | 0.2 | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
|
Description
Rick Leir
I've fixed this on Orionhub with some Apache rewriterules. Thanks for reporting this. Punting to the Orion team -- you can witness this on orion.eclipse.org: http://orion.eclipse.org/file/.metadata/.plugins/org.eclipse.orion.server.user.securestorage/user_store Also, browsing to /file/ also reveals a nice directory listing: http://orion.eclipse.org/file/ Denis, could you please also block those URLs when going through orionhub.org:8080, without blocking port 8080 completely? Thanks! This was opened up by our new "make all projects world readable" setting. Fix and tests: http://git.eclipse.org/c/e4/org.eclipse.orion.server.git/commit/?id=e307fe12df9c8ceac2eda2b0b5c662233b8ba866 I fixed this in two places. First, the authorization filter now forbids read access to the metadata even when "global read access" is enabled. Second, the File servlet itself forbids any kind of access to the metadata (GET/PUT/DELETE/POST). Tests included for various permutations of metadata access. |