diff options
author | Andy Doan <andy.doan@linaro.org> | 2015-07-30 10:27:26 -0500 |
---|---|---|
committer | Linaro Code Review <review@review.linaro.org> | 2015-07-30 16:21:29 +0000 |
commit | 0255455978152e6bb1b4b024a8683cc66f05f910 (patch) | |
tree | 4116003b24e77bd9287cf4833177ea6848676d9a /sampleroot/protected_listing | |
parent | ccffb5f903c2e044ed3a022f3d878a6efbd4a633 (diff) |
regression bug #1729: ensure directories are protected
We had an "information leak" where going to a protected folder like:
http://releases.linaro.org/android/images/lcr-member-juno/15.07
only worked if you included the trailing "/":
http://releases.linaro.org/android/images/lcr-member-juno/15.07/
It wasn't a terrible leak, because the artifacts were still protected.
However, this fixes the directory rendering logic and adds a regression
test so we don't mess this up again in the future.
The regression was caused by the new Artifact code passing the directory
name to build-info's constructor when doing a directory listing.
The root issue was really the fact that people use a subtle oddity of
our build-info implementation to enforce directory-listing protection.
If a build-info includes a trailing "," then it will match the call to
.get('auth-groups') because we pass an empty filename to the build-info
constructor.
Change-Id: Ifb2546634d5c675d431187ef555dd215c8e65bc4
Diffstat (limited to 'sampleroot/protected_listing')
-rw-r--r-- | sampleroot/protected_listing/BUILD-INFO.txt | 6 | ||||
-rw-r--r-- | sampleroot/protected_listing/foo.txt | 0 |
2 files changed, 6 insertions, 0 deletions
diff --git a/sampleroot/protected_listing/BUILD-INFO.txt b/sampleroot/protected_listing/BUILD-INFO.txt new file mode 100644 index 0000000..d7fc3ad --- /dev/null +++ b/sampleroot/protected_listing/BUILD-INFO.txt @@ -0,0 +1,6 @@ +Format-Version: 0.5 + +Files-Pattern: *.txt, +License-Type: protected +Auth-Groups: lmg-members-only + diff --git a/sampleroot/protected_listing/foo.txt b/sampleroot/protected_listing/foo.txt new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/sampleroot/protected_listing/foo.txt |