You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@archiva.apache.org by "Maria Odea Ching (JIRA)" <ji...@codehaus.org> on 2008/10/07 07:39:08 UTC
[jira] Closed: (MRM-967) Security Issue: If repository observer
role is enabled for the 'guest' user, an invalid user is able to deploy to
that repository
[ http://jira.codehaus.org/browse/MRM-967?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maria Odea Ching closed MRM-967.
--------------------------------
Assignee: Maria Odea Ching
Resolution: Fixed
Fix Version/s: 1.1.3
Fixed in trunk -r702027 and merged in 1.1.x branch -r702032.
> Security Issue: If repository observer role is enabled for the 'guest' user, an invalid user is able to deploy to that repository
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: MRM-967
> URL: http://jira.codehaus.org/browse/MRM-967
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security, WebDAV interface
> Affects Versions: 1.1.2
> Reporter: Maria Odea Ching
> Assignee: Maria Odea Ching
> Priority: Critical
> Fix For: 1.1.3
>
>
> Steps to reproduce (using repository 'snapshots'):
> 1. Configure the <distributionManagement> of your project's pom to deploy your project to 'snapshots' repository, as follows:
> <distributionManagement>
> <repository>
> <id>releases</id>
> <name>Releases Repository</name>
> <layout>default</layout>
> <url>dav:http://localhost:8080/archiva/repository/releases/</url>
> </repository>
> <snapshotRepository>
> <id>snapshots</id>
> <uniqueVersion>true</uniqueVersion>
> <name>Snapshots Repository</name>
> <layout>default</layout>
> <url>dav:http://localhost:8080/archiva/repository/snapshots/</url>
> </snapshotRepository>
> </distributionManagement>
> 2. Enable the 'snapshots' repository observer role for 'guest' user
> 3. Add an invalid user credentials in your settings.xml for 'snapshots' repository, as shown below:
> <server>
> <id>snapshots</id>
> <username>invalidusername</username>
> <password>password</password>
> </server>
> 4. Execute 'mvn clean deploy' in your project.
> Alternatively, you can also use the deploy-file goal to replicate the issue so you won't need to configure your pom (ex. 'mvn deploy:deploy-file -Dfile=nunit.framework.dll -DgroupId=NUnit -Dversion=2.4.8.0 -Dpackaging=dll -DartifactId=NUnit.Framework.dll -DrepositoryId=snapshots -Durl=http://localhost:8080/archiva/repository/snapshots -DgeneratePom=true')
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira