Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #11154 (closed)

Opened 11 years ago

Closed 10 years ago

Last modified 10 years ago

Bug: secure logfilename passing

Reported by: jamoore Owned by: jamoore
Priority: blocker Milestone: 5.0.0-rc1
Component: Services Version: 5.0.0-beta1
Keywords: fs Cc: fs@…
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: n.a.
Sprint: OMERO 5 Beta 2 (1)

Description

See: https://github.com/openmicroscopy/openmicroscopy/pull/1251/files

When a filename is passed to CallContext it should be checked for write access by the current user. This may should be encapsulated in a CallContextCallback or similar which can be injected into the CallContext object.

Change History (9)

comment:1 Changed 11 years ago by jamoore

  • Milestone changed from 5.0.0-beta1 to 5.0.0-beta2
  • Sprint FS demo 4.x deleted
  • Version set to 4.4.8

comment:2 Changed 11 years ago by jamoore

  • Version changed from 4.4.8 to 5.0.0-beta1

comment:3 Changed 10 years ago by jamoore

  • Owner set to cblackburn

comment:4 Changed 10 years ago by jamoore

  • Sprint set to OMERO 5 Beta 2 (1)

comment:5 Changed 10 years ago by cblackburn

In reviewing the reasons for this ticket I noticed this minor issue which can by fixed in any PR addressing the ticket.

https://github.com/openmicroscopy/openmicroscopy/pull/1251/files#r7626187

comment:6 Changed 10 years ago by jamoore

  • Owner changed from cblackburn to jamoore

comment:7 Changed 10 years ago by bpindelski

Solution proposed by Josh: a token (UUID) is generated in the Spring context is injected into CallContext? and ManagedRepositoryI. It is then passed from ManagedRepositoryI to OMEROMetadataStoreClient (along with the log filename). The CallContext? can then check for the presence of the token and allow or deny the use of omero.logfilename (throw an exception if denied).

comment:8 Changed 10 years ago by bpindelski

  • Resolution set to fixed
  • Status changed from new to closed

Closing. https://github.com/openmicroscopy/openmicroscopy/pull/1866.

comment:9 Changed 10 years ago by Josh Moore <josh@…>

(In [26fb90ed074bbc84a97c565b47a932bc83eec25f/ome.git] on branch develop) Merge pull request #1866 from bpindelski/11154-logfile

Make log filename setting secure (see #11154).

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.68791 sec.)

© 2000-2014 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 3.0 Unported License
OME source code is available under the GNU General public license or through commercial license from Glencoe Software

We're Hiring!