Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 382139

Summary: Permission checks should be case sensitive
Product: [ECD] Orion Reporter: John Arthorne <john.arthorne>
Component: ServerAssignee: John Arthorne <john.arthorne>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: P3 CC: simon_kaegi
Version: unspecified   
Target Milestone: 1.0 M2   
Hardware: PC   
OS: Windows 7   
Whiteboard:

Description John Arthorne CLA 2012-06-08 14:14:53 EDT 
AuthorizationService.java line 190-191 looks like this:

String uriToMatch = uri.toLowerCase(Locale.ENGLISH);
String patternToMatch = userRight.getString(ProtocolConstants.KEY_USER_RIGHT_URI).toLowerCase(Locale.ENGLISH);


Notice it is lowercasing the URI before checking for authorization. URI's are case sensitive so it should not be doing this. We had a case where Ken had a project with id "HR" and McQ had a project with id "Hr". They were able to edit each other's projects.
Comment 1 John Arthorne CLA 2012-06-08 14:40:52 EDT 
It looks like the patch in this comment introduced the lowercasing:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=334983#c2

That bug is all about pattern matching so there doesn't seem to be a reason for introducing the lower-casing.
Comment 2 John Arthorne CLA 2012-06-08 15:23:35 EDT 
Szymon and Gosia I leave it to you, but I think it's important to fix for 0.5.
Comment 3 Szymon Brandys CLA 2012-06-14 12:00:42 EDT 
Removing toLowerCase makes sense. I was investigating why it was introduced 1,5 year ago. At some point we were using absolute locations in JSONs like Clonelocation: www.orionhub.org/gitapi/clone... and maybe lowercasing was for handing host names. 

I could change it now, I'm just afraid that some user rights on orionhub or orion.eclipse.org have wrong cases and some users will be affected. I talked to Simon and it seems it will be better to release it in 1.0.
Comment 4 John Arthorne CLA 2012-08-28 10:04:15 EDT 
I'm working in this area right now.