Edgewall Software

Ticket #7391 (assigned defect)

Opened 3 months ago

Last modified 3 months ago

renamed plugin disable commands in trac.ini [components] silently fail, a security issue

Reported by: anonymous Owned by: anonymous
Priority: normal Milestone: 0.11.2
Component: admin/web Version: 0.11
Severity: critical Keywords: security
Cc:

Description

On upgrading to trac 0.11, I found I had to rename: 

   webadmin.plugin.pluginadminpage=disabled

to 

trac.admin.web_ui.PluginAdminPanel=disabled

The problem here is that I found this by noticing that trac 0.11 was allowing uploads.

There was no complaint about the old disabled line not being relevant any more, and no upgrade documentation to warn that if we locked things down in webadmin we now need to rename the lines in the config file.

I think the lack of warning (in code or in documentation) is a security risk to people upgrading.

Attachments

Change History

Changed 3 months ago by anonymous

  • owner set to anonymous
  • status changed from new to assigned

ccc

Changed 3 months ago by Piotr Kuczynski <piotr.kuczynski@…>

  • keywords security added
  • version set to 0.11
  • component changed from general to admin/web
  • severity changed from normal to critical
  • milestone set to 0.11.1

Add/Change #7391 (renamed plugin disable commands in trac.ini [components] silently fail, a security issue)

Author



Change Properties
<Author field>
Action
as assigned
as The resolution will be set. Next status will be 'closed'
to The owner will change from anonymous. Next status will be 'new'
 
Note: See TracTickets for help on using tickets.