Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 345805 - orionhub.org site reveals email addresses
Summary: orionhub.org site reveals email addresses
Status: RESOLVED FIXED
Alias: None
Product: Orion
Classification: ECD
Component: Client (show other bugs)
Version: 0.2   Edit
Hardware: All All
: P1 critical (vote)
Target Milestone: 0.2   Edit
Assignee: John Arthorne CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-14 06:00 EDT by Rick Leir CLA
Modified: 2011-09-01 11:41 EDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Rick Leir CLA 2011-05-14 06:00:19 EDT 
Build Identifier: none

The orionhub.org site reveals email addresses of many community members, and can be searched via Google. Look at:
http://orionhub.org/file/.metadata/.plugins/org.eclipse.orion.server.user.securestorage/user_store



Reproducible: Always

Steps to Reproduce:
1.Google your email address
2.click on the only result
3.
Comment 1 Denis Roy CLA 2011-05-16 08:22:29 EDT 
I've fixed this on Orionhub with some Apache rewriterules.  Thanks for reporting this.

Punting to the Orion team -- you can witness this on orion.eclipse.org:
http://orion.eclipse.org/file/.metadata/.plugins/org.eclipse.orion.server.user.securestorage/user_store

Also, browsing to /file/ also reveals a nice directory listing:
http://orion.eclipse.org/file/
Comment 2 Boris Bokowski CLA 2011-05-16 09:07:31 EDT 
Denis, could you please also block those URLs when going through orionhub.org:8080, without blocking port 8080 completely? Thanks!
Comment 3 John Arthorne CLA 2011-05-16 09:09:33 EDT 
This was opened up by our new "make all projects world readable" setting.
Comment 4 John Arthorne CLA 2011-05-16 10:21:08 EDT 
Fix and tests:

http://git.eclipse.org/c/e4/org.eclipse.orion.server.git/commit/?id=e307fe12df9c8ceac2eda2b0b5c662233b8ba866

I fixed this in two places. First, the authorization filter now forbids read access to the metadata even when "global read access" is enabled. Second, the File servlet itself forbids any kind of access to the metadata (GET/PUT/DELETE/POST).

Tests included for various permutations of metadata access.