Opened 17 years ago
Last modified 17 years ago
#4876 closed defect
htpasswd: full pathname allowedR — at Initial Version
| Reported by: | Owned by: | Christopher Lenz | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | admin/web | Version: | 0.10.3 |
| Severity: | major | Keywords: | path write access security |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
All my trac instances are in one folder:
/folder/trac/instance1 /folder/trac/instance2
The apache-user has write access on both folders.
From within TracWebAdmin, I can give the full pathname of the passwd-file (_filename).
This means I can write to /folder/trac/instance2 whilst being logged in on http://domainname.ext/trac/instance1, giving me access to a project I am not supposed to have access on.
Am I missing something?
Regards,
— mverwijs
Note:
See TracTickets
for help on using tickets.
