示例#1
0
        private IDictionary LoadRules(FileInfo f)
        {
            IDictionary dictionary = (IDictionary) new Hashtable();
            FileStream  fileStream = (FileStream)null;

            try
            {
                fileStream = new FileStream(f.FullName, FileMode.Open, FileAccess.Read);
                string str1;
                while ((str1 = Owasp.Esapi.Esapi.Validator().SafeReadLine((Stream)fileStream, 500)) != null)
                {
                    if (str1.Length > 0 && str1[0] != '#')
                    {
                        AccessController.Rule rule = new AccessController.Rule();
                        string[] strArray          = str1.Split(new string[1]
                        {
                            "|"
                        }, StringSplitOptions.None);
                        rule.path = strArray[0].Trim().Replace("\\", "/");
                        rule.roles.Add((object)strArray[1].Trim().ToLower());
                        string str2 = strArray[2].Trim();
                        rule.allow = str2.ToUpper().Equals("allow".ToUpper());
                        if (dictionary.Contains((object)rule.path))
                        {
                            AccessController.logger.LogWarning(ILogger_Fields.SECURITY, "Problem in access control file. Duplicate rule ignored: " + (object)rule);
                        }
                        dictionary[(object)rule.path] = (object)rule;
                    }
                }
                return(dictionary);
            }
            catch (Exception ex)
            {
                AccessController.logger.LogWarning(ILogger_Fields.SECURITY, "Problem in access control file", ex);
            }
            finally
            {
                try
                {
                    fileStream?.Close();
                }
                catch (IOException ex)
                {
                    AccessController.logger.LogWarning(ILogger_Fields.SECURITY, "Failure closing access control file: " + (object)f, (Exception)ex);
                }
            }
            return(dictionary);
        }
示例#2
0
        private AccessController.Rule SearchForRule(IDictionary map, IList roles, string path)
        {
            string str1 = (string)null;

            try
            {
                str1 = Owasp.Esapi.Esapi.Encoder().Canonicalize(path);
            }
            catch (EncodingException ex)
            {
                AccessController.logger.LogWarning(ILogger_Fields.SECURITY, "Failed to canonicalize input: " + path);
            }
            string str2 = str1;

            while (str2.EndsWith("/"))
            {
                str2 = str2.Substring(0, str2.Length - 1);
            }
            if (str2.IndexOf("..") != -1)
            {
                throw new IntrusionException("Attempt to manipulate access control path", "Attempt to manipulate access control path: " + path);
            }
            string str3 = "";
            int    num  = str2.LastIndexOf(".");

            if (num != -1)
            {
                str3 = str2.Substring(num + 1);
            }
            AccessController.Rule rule = ((AccessController.Rule)map[(object)str2] ?? (AccessController.Rule)map[(object)(str2 + "/*")]) ?? (AccessController.Rule)map[(object)("*." + str3)];
            if (rule != null && this.Overlap(rule.roles, roles))
            {
                return(rule);
            }
            if (!str2.Contains("/"))
            {
                return(this.deny);
            }
            string path1 = str2.Substring(0, str2.LastIndexOf('/'));

            if (path1.Length <= 1)
            {
                return(this.deny);
            }
            return(this.SearchForRule(map, roles, path1));
        }