Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document is downloadable by public even when it is restricted (Apache 2.4) #322

jiadiyao opened this issue Jun 2, 2015 · 3 comments


Copy link

@jiadiyao jiadiyao commented Jun 2, 2015

Document can be downloaded regardless of its security settings (staff only or admin only). (For example, if latest items or search result page shows the document thumbnail and the thumbnail links to the document file, the file can be downloaded without the need to login)

Initial investigation indicates that this is a library issue with mod_perl (mod_perl 2.09 against apache 2.4)

in cfg.d/, the following line is giving error and making the security checking function to return prematurely, which subsequently allowing anyone to download a restricted document

my $ip = $r->connection()->remote_ip();

The machine detail:
CentOS Linux release 7.0.1406 (Core)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID_LIKE="rhel fedora"
PRETTY_NAME="CentOS Linux 7 (Core)"
CentOS Linux release 7.0.1406 (Core)

Apache version:
Server version: Apache/2.4.6 (CentOS)
Server built: Jan 12 2015 13:22:31

mod_perl version: 2.000009

A temp fix is to commend out the line from the
This fix implies that the IP based authentication (e.g. campus ip can download the document without needing to log in) would no longer working

Copy link

@alenkovich alenkovich commented Aug 25, 2015

I can confirm the issue (and a temp fix) - 3.3.14 on Debian Jessie

Copy link

@leonardo-mezzina leonardo-mezzina commented Aug 25, 2015

Following this,+Tutorial+%26+User+Manual/HOW-TO+%3A+Install+Eprints+v3.3.12++on+Ubuntu+14.04+With+LDAP+Authentication
I think you can solve using $r->connection->client_ip()
Personally I solved using
my $ip = $doc->repository->remote_ip();
which you can find commented in the original
either should work.

Copy link
Contributor Author

@jiadiyao jiadiyao commented Sep 6, 2017

related to #214.
resolved in 26e97fc
my $ip = $doc->repository->remote_ip();

@jiadiyao jiadiyao closed this Sep 6, 2017
@jiadiyao jiadiyao added the bug label Sep 6, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

No branches or pull requests

3 participants