Forum OpenACS Development: oacs-dav's preauth filter is too broad

Collapse
1: oacs-dav's preauth filter is too broad
Posted by Vinod Kurup on 04/21/06 03:58 PM
I host a blog for a friend whose name happens to be Dave (Not our famous Dave), so I host it at http://kurup.org/dave.

I installed Forums recently, which installs oacs-dav.

oacs-dav registers preauth filters like so: 

set prefix [parameter::get \
        -package_id [apm_package_id_from_key "oacs-dav"] \
        -parameter "WebDAVURLPrefix" \
        -default "/dav"]

set url "${prefix}/*"
set filter_url "${prefix}*"
ns_register_filter preauth GET ${filter_url} oacs_dav::authorize
Unfortunately, this inadvertently catches http://kurup.org/dave. Is there a reason why filter_url can't be "${prefix}/*"?

Also, if someone has the time, I'm curious how I'd write an automated test to expose this bug (just for education's sake)?

Collapse
2: Re: oacs-dav's preauth filter is too broad (response to 1)
Posted by Dave Bauer on 04/21/06 04:23 PM
Vinod, does it work with filter_url set to ${prefix}/* ?

I can't recall why I set it up that way, but there seems to have been some reason.

Collapse
3: Re: Re: oacs-dav's preauth filter is too broad (response to 2)
Posted by Vinod Kurup on 04/21/06 04:35 PM
That fixes my site, but I haven't tested webdav functionality since I didn't need it.

I also figured that it must have been set that way for a reason, but I'll try it like this and get back to you if I test out the webdav stuff. Thanks.

Collapse
4: Re: oacs-dav's preauth filter is too broad (response to 1)
Posted by Dave Bauer on 04/21/06 04:28 PM
It appears to possibly be a misundertsanding of the documentation. It would be interesting to change the filter and then test it.