Opened 14 years ago
Closed 14 years ago
#294 closed defect (fixed)
Security hole in GeoNetwork search
| Reported by: | heikki | Owned by: | heikki |
|---|---|---|---|
| Priority: | blocker | Milestone: | v2.6.0 |
| Component: | General | Version: | v2.6.0RC0 |
| Keywords: | Cc: |
Description
When you craft a search request, such that it has a group as a parameter, the search results that are returned are just the metadata from that group, regardless whether you are allowed to see those.
To reproduce :
- login as admin
- create a group and note its id. Let's say its id is 3.
- create a metadata belonging to group 3. Verify it is only visible to users from group 3, and certainly not to group 'all'.
- logout
- craft a search request containing the group parameter. For example, in gn_search.js, add the line "pars += "&group=3";" to the "runSimpleSearch" function
- while still logged out, execute the search that incl. this group parameter.
The non-published metadata from group 3 are now shown in your search results.
Change History (2)
comment:1 by , 14 years ago
| Status: | new → assigned |
|---|
comment:2 by , 14 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed by adding a check in LuceneSearcher such that an exception is thrown when the search request contains group(s) parameters, but they are not in the user's groups.
Check is omitted if you're logged in as an ADMINISTRATOR.
Note:
See TracTickets
for help on using tickets.
okay, again, with better formatting of the ticket description:
When you craft a search request, such that it has a group as a parameter, the search results that are returned are just the metadata from that group, regardless whether you are allowed to see those.
To reproduce :
The non-published metadata from group 3 are now shown in your search results.