From 51f96e23aa401f113925063e615b1935c01e1f40 Mon Sep 17 00:00:00 2001 From: Michael Peters Date: Tue, 24 Sep 2013 16:57:37 -0400 Subject: [PATCH] LP#1207281 Prevent download of offline patron list without authentication This patch addresses the vulnerability which allowed a user with the proper knowledge of the location of offline patron lists to download the file over regular HTTP without any staff credentials. This small addition to eg_vhost.conf.in will present users with a login prompt when trying to access the /standalone/ subdirectory on an Evergreen server. Users are able to download the patron list in the staff client as normal because they already have obtained credentials during the normal staff client authentication process. Signed-off-by: Michael Peters Signed-off-by: Galen Charlton Signed-off-by: Bill Erickson Signed-off-by: Mike Rylander --- Open-ILS/examples/apache/eg_vhost.conf.in | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Open-ILS/examples/apache/eg_vhost.conf.in b/Open-ILS/examples/apache/eg_vhost.conf.in index bf58315a12..d640191471 100644 --- a/Open-ILS/examples/apache/eg_vhost.conf.in +++ b/Open-ILS/examples/apache/eg_vhost.conf.in @@ -487,6 +487,19 @@ RewriteRule .? - [E=locale:%{HTTP:Accept-Language}] allow from all +# ---------------------------------------------------------------------------------- +# Protect Standalone/Offline mode files from public view +# ---------------------------------------------------------------------------------- + + AuthType Basic + AuthName "Standalone Mode Login" + PerlOptions +GlobalRequest + PerlSetVar OILSProxyPermissions "STAFF_LOGIN" + PerlAuthenHandler OpenILS::WWW::Proxy::Authen + require valid-user + PerlSendHeader On + allow from all + # ---------------------------------------------------------------------------------- # Reporting output lives here -- 2.11.0