LP#1207281 Prevent download of offline patron list without authentication

This patch addresses the vulnerability which allowed a user with the proper
knowledge of the location of offline patron lists to download the file over
regular HTTP without any staff credentials.

This small addition to eg_vhost.conf.in will present users with a login prompt
when trying to access the /standalone/ subdirectory on an Evergreen server.

Users are able to download the patron list in the staff client as normal
because they already have obtained credentials during the normal staff client
authentication process.

Signed-off-by: Michael Peters <mpeters@emeralddata.net>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Bill Erickson <berick@esilibrary.com>

diff --git a/Open-ILS/examples/apache/eg_vhost.conf.in b/Open-ILS/examples/apache/eg_vhost.conf.in
index 8835b7e..6d5a18e 100644 (file)
--- a/Open-ILS/examples/apache/eg_vhost.conf.in
+++ b/Open-ILS/examples/apache/eg_vhost.conf.in
@@ -476,6 +476,19 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}]
     allow from all
 </Location>
 
+# ----------------------------------------------------------------------------------
+# Protect Standalone/Offline mode files from public view
+# ----------------------------------------------------------------------------------
+<Location /standalone/>
+    AuthType Basic
+    AuthName "Standalone Mode Login"
+    PerlOptions +GlobalRequest
+    PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
+    PerlAuthenHandler OpenILS::WWW::Proxy::Authen
+    require valid-user
+    PerlSendHeader On
+    allow from all
+</Location>
 
 # ----------------------------------------------------------------------------------
 # Reporting output lives here