Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed and reviewed
    • Affects versions: 3.0, 3.1, 3.2, 3.3, 3.4, 3.5, 4.0, 4.1, 4.2
    • Fix versions: 3.6, 4.4, 5.0
    • Components: Backend Software
    • Labels:
      None
    • Severity:
      Security
    • Steps to reproduce:
      Hide
      Hi everyone,
      I just noticed the following code:

          public class XACMLAuthorizationService implements AuthorizationService {
          ...
            public boolean hasPermission(final MediaPackage mp, final String action) {
              ...
              return getXacmlAttachment(mp).map(new Function<Attachment, Boolean>() {
                ...
              }).getOrElse(true); // <<-- SECURITY ISSUE ???
              ...
            }
          ...

      Looking at this, it seems like Opencast would just allow any type of
      access if no XACML is attached to a media package, regardless of the
      action requested. That's… wrong.

      Using `.getOrElse(false)` seems a valid quick-fix though evaluating the
      default ACL instead (maybe using `getActiveACL()`) would probably be the
      preferred choice.

      Unfortunately, I do not have time to evaluate the thread right now
      (maybe, it's actually harmless). Could anyone take a short look at this?

      Best regards,
      Lars
      Show
      Hi everyone, I just noticed the following code:     public class XACMLAuthorizationService implements AuthorizationService {     ...       public boolean hasPermission(final MediaPackage mp, final String action) {         ...         return getXacmlAttachment(mp).map(new Function<Attachment, Boolean>() {           ...         }).getOrElse(true); // <<-- SECURITY ISSUE ???         ...       }     ... Looking at this, it seems like Opencast would just allow any type of access if no XACML is attached to a media package, regardless of the action requested. That's… wrong. Using `.getOrElse(false)` seems a valid quick-fix though evaluating the default ACL instead (maybe using `getActiveACL()`) would probably be the preferred choice. Unfortunately, I do not have time to evaluate the thread right now (maybe, it's actually harmless). Could anyone take a short look at this? Best regards, Lars

      TestRail: Results

        Attachments

          Activity

            People

            • Assignee:
              greg_logan Greg Logan
              Reporter:
              lkiesow Lars Kiesow
            • Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                TestRail: Cases