Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document is downloadable by public even when it is restricted (Apache 2.4) #322

Closed
jiadiyao opened this issue Jun 2, 2015 · 3 comments
Closed
Labels

Comments

@jiadiyao
Copy link
Contributor

@jiadiyao jiadiyao commented Jun 2, 2015

Document can be downloaded regardless of its security settings (staff only or admin only). (For example, if latest items or search result page shows the document thumbnail and the thumbnail links to the document file, the file can be downloaded without the need to login)

Initial investigation indicates that this is a library issue with mod_perl (mod_perl 2.09 against apache 2.4)

in cfg.d/security.pl, the following line is giving error and making the security checking function to return prematurely, which subsequently allowing anyone to download a restricted document

my $ip = $r->connection()->remote_ip();

The machine detail:
CentOS Linux release 7.0.1406 (Core)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CentOS Linux release 7.0.1406 (Core)

Apache version:
Server version: Apache/2.4.6 (CentOS)
Server built: Jan 12 2015 13:22:31

mod_perl version: 2.000009

A temp fix is to commend out the line from the security.pl.
This fix implies that the IP based authentication (e.g. campus ip can download the document without needing to log in) would no longer working

@alenkovich
Copy link

@alenkovich alenkovich commented Aug 25, 2015

I can confirm the issue (and a temp fix) - 3.3.14 on Debian Jessie

@leonardo-mezzina
Copy link

@leonardo-mezzina leonardo-mezzina commented Aug 25, 2015

Following this
http://wiki.unimas.my/unimaswiki/bin/view/HOW-TO,+Tutorial+%26+User+Manual/HOW-TO+%3A+Install+Eprints+v3.3.12++on+Ubuntu+14.04+With+LDAP+Authentication
I think you can solve using $r->connection->client_ip()
Personally I solved using
my $ip = $doc->repository->remote_ip();
which you can find commented in the original
/usr/share/eprints3/lib/defaultcfg/cfg.d/security.pl
either should work.

@jiadiyao
Copy link
Contributor Author

@jiadiyao jiadiyao commented Sep 6, 2017

related to #214.
resolved in 26e97fc
use
my $ip = $doc->repository->remote_ip();
instead.

@jiadiyao jiadiyao closed this Sep 6, 2017
@jiadiyao jiadiyao added the bug label Sep 6, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants