Opened 17 years ago
Last modified 17 years ago
#4876 closed defect
htpasswd: full pathname allowedR — at Initial Version
Reported by: | Owned by: | Christopher Lenz | |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | admin/web | Version: | 0.10.3 |
Severity: | major | Keywords: | path write access security |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
All my trac instances are in one folder:
/folder/trac/instance1 /folder/trac/instance2
The apache-user has write access on both folders.
From within TracWebAdmin, I can give the full pathname of the passwd-file (_filename).
This means I can write to /folder/trac/instance2 whilst being logged in on http://domainname.ext/trac/instance1, giving me access to a project I am not supposed to have access on.
Am I missing something?
Regards,
— mverwijs
Note:
See TracTickets
for help on using tickets.