New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Private pages can be overriden by URL hacking #44

Open
dplanella opened this Issue Mar 28, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@dplanella

dplanella commented Mar 28, 2017

Thanks for your great work on Omnigollum.

While using it, I've just noticed that if you specify protected_routes for Omnigollum in Gollum's config.rb as such:

  :protected_routes => [
    '/private/*',
    '/private'],

Then if you go to e.g. https://mywiki.com/private the authorization prompt is shown as expected. However, there seems to be an easy way to override this:

I'm by no means a Ruby developer, so I'm not too sure what's going on behind the scenes. protected_routes is processed here: https://github.com/arr2036/omnigollum/blob/master/lib/omnigollum.rb#L311

Something I tried was to modify the route, so that it's converted to downcase. While that works for that particular case, then unauthenticated users cannot access the open parts of the site that use capital letters, e.g. mywiki.com/Home. So no, the workaround does not quite work:

# Pre-empt protected routes
      options[:protected_routes].each {|route| app.before(route.downcase!) {user_auth unless user_authed?}}

I'm sure there are better and cleverer ways to fix this.

Thanks.

@dplanella dplanella changed the title from Private routes can be overriden by URL hacking to Private pages can be overriden by URL hacking Mar 28, 2017

@ctreffe

This comment has been minimized.

ctreffe commented Jul 10, 2018

I just stumbled upon this issue while setting up gollum with omnigollum. Also having the described problem, I finally was able to solve this using regular expressions in the config.rb:

:protected_routes => [
    /\/[Pp][Rr][Ii][Vv][Aa][Tt][Ee]\/.*/,
    /\/[Pp][Rr][Ii][Vv][Aa][Tt][Ee]/
]

I'm sure this solution can easily be improved, but being no ruby coder, this was the best I could come up with. Anyway, maybe this helps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment