TitleServlet named attach is overloaded
Date05-Dec-2004 20:02:30 EET
VersionJSPWiki v2.0.52
SubmitterReinhardEngel
CriticalityLightBug
Browser versionInternet Explorer 6.0 SP1
StatusClosedBug
PageProvider used
Servlet ContainerTomcat 5.0.19
Operating SystemWindows XP Pro
URL
Java version1.4.1 IBM Build cn141-20030516

Servlet named "attach" is overloaded#

The servlet named attach is overloaded to the point where security and access control become problematic.

At my sites,

  • Unregistered users are not allowed to view any pages
  • There are two roles: editor and reader
  • A reader can only view pages and download attachments
  • An editor can do everything a reader can do plus edit pages and upload attachments
  • All content is considered sensitive and protected by SSL.

At first, I just restricted Edit.jsp and Upload.jsp to editors. Imagine my shock when my testers discovered that readers could replace attachments by using the form provided by the PageInfo.jsp. This form invokes the attach servlet which is mapped to the AttachmentServlet.

To close this hole, I restricted attach and AttachmentServlet to editors as well, but this has a nasty side effect. The attach servlet is used to download and in-line attachments as well. By adding this restriction, I have made it impossible for readers to download attachments or see in-line pictures.

My software design experience makes me believe that overloading attach for both upload and download operations is a bad idea, as demonstrated by this unintended consequence. Please consider using a command/action pattern where upload and download operations are implemented in separate servlets, sharing common code in an appropriate Java class under the covers.

Here are the security constraints that demonstrate the problem.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>
            BaderWiki
        </web-resource-name>
        <url-pattern>
            *
        </url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>reader</role-name>
        <role-name>editor</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>
            CONFIDENTIAL
        </transport-guarantee>
    </user-data-constraint>
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Protected Edit</web-resource-name>
        <url-pattern>/Edit.jsp</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
    </web-resource-collection>
    <web-resource-collection>
        <web-resource-name>Protected Upload</web-resource-name>
        <url-pattern>/Upload.jsp</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
    </web-resource-collection>
    <web-resource-collection>
        <web-resource-name>Protected Attach</web-resource-name>
        <url-pattern>/attach</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
    </web-resource-collection>
    <web-resource-collection>
        <web-resource-name>Protected AttachmentServlet</web-resource-name>
        <url-pattern>/AttachmentServlet</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>editor</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>
            CONFIDENTIAL
        </transport-guarantee>
    </user-data-constraint>
</security-constraint>

<login-config>
   <auth-method>BASIC</auth-method>
   <realm-name>BaderWiki Access Control</realm-name>
</login-config>
 <security-role>
    <description>
        Editors are allowed to edit wiki pages and upload attachments.
    </description>
    <role-name>
        editor
    </role-name>
</security-role>
<security-role>
    <description>
        Readers are allowed to only view wiki pages.
    </description>
    <role-name>
        reader
    </role-name>
</security-role>

Lance D Bader

Oops, you're right. This is a bit of a hassle, I agree. I'll have to move the upload functionality somewhere else.

--JanneJalkanen

(moved from old BugReports)

What about resticting POST to the editor role, while allowing GET to the readers? Just an idea. -- Jawe

Yes, that should work nicely as a workaround, if you use this:

    <web-resource-collection>
        <web-resource-name>Protected Attach</web-resource-name>
        <url-pattern>/attach</url-pattern>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
    </web-resource-collection>

-- JanneJalkanen


Looks like 2.4.100 still uses the same AttachmentServlet for both downloading and uploading attachments......

--HarryMetske

--HarryMetske, 10-Mar-2007


Yes, and it's rather RESTish that way. Esp. with the new AAA system, I think we don't have to do anything to this...

--JanneJalkanen, 12-Mar-2007

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-6) was last changed on 12-Mar-2007 21:24 by HarryMetske