Ticket #5022 (closed defect: fixed)
Opened 5 years ago
Last modified 4 years ago
[patch] existing tickets are opened via /newticket URL
| Reported by: | pkou at ua.fm | Owned by: | cboos |
|---|---|---|---|
| Priority: | low | Milestone: | 0.11 |
| Component: | ticket system | Version: | devel |
| Severity: | minor | Keywords: | security |
| Cc: | |||
| Release Notes: | |||
| API Changes: | |||
Description
It is possible to open existing tickets using /newticket URL.
Sample: http://tracsite/newticket?id=1 will open ticket #1
Possible fix:
-
web_ui.py
115 115 return True 116 116 117 117 def process_request(self, req): 118 if 'id' in req.args:118 if re.match(r'/ticket/([0-9]+)$', req.path_info) is not None: 119 119 return self._process_ticket_request(req) 120 120 return self._process_newticket_request(req)
Cf. with match_request also.
Attachments
Change History
comment:1 Changed 5 years ago by cboos
- Milestone changed from 0.11.1 to 0.11
- Owner changed from jonas to cboos
comment:2 Changed 4 years ago by cboos
- Resolution set to fixed
- Status changed from new to closed
Fixed in r6014.
comment:3 Changed 4 years ago by nkantrowitz
- Resolution fixed deleted
- Status changed from closed to reopened
I would rather see this redirect to the correct /ticket page than just show an error. Thoughts?
comment:4 follow-up: ↓ 5 Changed 4 years ago by cboos
I think redirects should rather be used for "normalizing" different valid URLs to the same canonical URL (like we do for a Wiki page with name ending with "/", for example).
Here (/newticket?id=1) it's clearly an error and not an alternative "valid" URL for /ticket/1.
comment:5 in reply to: ↑ 4 Changed 4 years ago by hyuga <hyugaricdeau@…>
Replying to cboos:
I think redirects should rather be used for "normalizing" different valid URLs to the same canonical URL (like we do for a Wiki page with name ending with "/", for example).
Here (/newticket?id=1) it's clearly an error and not an alternative "valid" URL for /ticket/1.
I agree. Wouldn't really want users thinking /newticket?id=1 is at all valid. I could see that leading to bad things.
comment:6 follow-up: ↓ 7 Changed 4 years ago by cboos
- Resolution set to fixed
- Status changed from reopened to closed
Closing again, /newticket?id=1 is definitely a bogus URL and should be reported as such.
Now, we could eventually reconsider the problem and allow the creation of tickets with an explicit id if they don't exist, but that's a different issue and brings some new concerns (would work just fine for deleted tickets, but what about ids that have simply not yet been reached?).
comment:7 in reply to: ↑ 6 Changed 4 years ago by cboos
Replying to cboos:
Closing again, /newticket?id=1 is definitely a bogus URL and should be reported as such.
I've reconsidered this after r6120,6122 made the issue go away: adding back the check and raising an error would only have made the code more complex and goes in the direction of strictly checking all the URL parameters, which I'm not sure is a good thing to do (thinking about extensions). So better ignore that extra id since now it is harmless (see r6565).
A req.path_info.startswith('/newticket/') should also do.