WebGUI - Invalid RewriteRule for checking wgaccess - Content Management System | CMS | Open Source Content Management | Web Application Framework

Username Password

Home Features Download Partners Community Blog

Community Support
WebGUI User Guides
Wiki
Forums
Report A Bug
Request Features
WebGUI 8
WebGUI TV
Add-ons and Plug-ins
Service Providers
webGUI in the news
Karma
API Docs
the people behind wg
webgui worldwide
Mascot
wallpapers
powered by icons
Sightings

View All Tickets

Invalid RewriteRule for checking wgaccess (#9000)

Issue

Recent versions of the WRE have included new rules to address the file privileges when downloading a secured file asset directly via the uploads path (see this ticket).

Unfortunately the rewrite rule has a bug. There is a $ instead of a % in the second rule which causes it to fail to perform it's duty of forcing the proxy to happen if a .wgaccess file exists.

I've marked this bug report as critical since it's a potential security issue for clients who are relying on this behavior.

Solution Summary

Comments

pvanthony 10/30/2008 12:14 pm	Not sure if this is related. Changed the "$" to "%" in modproxy of the domain in the test. Created an article. Added an attachment in the article. (an image file) Set the security to "admin can only view" Copied the link to the image. (/uploads/random/image.jpg) Log out. Try to access the image file by using the link. The image file is served. Shouldn't the attachment file be prevented from being viewed since the security setting for the article is set to be viewable by the admin.
martink 11/12/2008 3:11 am	I stumbled on this same issue. When fizing this bug for wre 0.8.6 I think it may be advisable to include information on how to fix the existing mod_proxy confs. Or do it from some upgrade script if there is such a thing. Anyway, a convenient way of fixing all confs is issuing the following command: sed -i 's/${DOCUMENT_ROOT}/%{DOCUMENT_ROOT}/' /data/wre/etc/*.modproxy
knowmad 12/29/2008 3:53 pm	PVanthony, If you set the security on the article after attaching the image, then I'd expect the behavior that you are reporting since the newly uploaded image should inherit the permissions from the asset it's being attached to. It'd be useful to test this behavior as I'm only describing my expectations. Nonetheless, your report brings up a good point about permissions for collateral assets. I'm not sure if WebGUI has a stated position in the WebGUI Dev Guide. Can one of the PB staff comment? William
pvanthony 1/18/2009 8:54 am	Just did a test like so, 1. create an article with security set to admin. 2. save article. 3. edit article and add attachment. 4. save article. 5. copy the link to attachment. 6. logout. 7. try to get attachment using the link copied earlier. 8. the attachment is served. The permissions on the article has no bearing on the attachments. P.V.Anthony
Graham 2/3/2009 6:24 pm	There are three separate issues here: First, the RewriteRule for checking if .wgaccess was incorrect. It has been fixed for future releases of the WRE. Second, permissions weren't correctly being applied to Article attachments. This has been fixed in WebGUI 7.6.11. Third, old revisions of files, articles, etc keep their old storage locations, and new permissions don't get enforced on them. This is part of the current design. You can purge the old revisions using the Change URL function. If you think this behavior should change, file an RFE for it. Closing as fixed.

Details

Ticket Status	Resolved
Rating
Submitted By	knowmad
Date Submitted	2008-10-28
Assigned To	Graham
Date Assigned	2009-01-15
Assigned By	Graham
Severity	Critical (mostly not working)
What's the bug in?	WebGUI Stable
WebGUI / WRE Version	0.8.5
URL	bugs/tracker/9000

Keywords

Ticket History

2/3/2009 6:24 PM	Resolved	Graham
1/15/2009 9:11 AM	Assigned to Graham	Graham
1/15/2009 9:11 AM	Assigned to Graham	Graham
10/28/2008 5:01 PM	Ticket created	knowmad