Modify ↓
Ticket #7875 (closed defect: invalid)
Opened 3 years ago
Last modified 3 years ago
Security Hole in Trac 0.11
| Reported by: | anonymous | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | version control | Version: | 0.11 |
| Severity: | normal | Keywords: | security needinfo |
| Cc: | |||
| Release Notes: | |||
| API Changes: | |||
Description
Users having FILE_VIEW and BROWSER_VIEW permissions have read access to the whole Subversion tree and can get any file, no matter if the AuthzSVNAccessFile file might be restricting them in the regular svn clients.
Trac must be able to restrict users/groups according to the grained permissions in the AuthzSVNAccessFile.
Attachments
Change History
comment:1 Changed 3 years ago by osimons
- Keywords needinfo added
comment:2 Changed 3 years ago by anonymous
- Resolution set to invalid
- Status changed from new to closed
Thank you so much! I did what you explain and now it works as expected :)
comment:3 Changed 3 years ago by eblot
- Milestone 0.11.3 deleted
- Priority changed from highest to normal
- Severity changed from critical to normal
(cleaning up milestone)
Note: See
TracTickets for help on using
tickets.
I'm quite sure the feature works as it should, and suspect this is due to misconiguration at your end. Could you please check your settings for authz_file (and authz_module_name if you have more than one repos controlled by that file) - see TracIni#trac-section.
If the settings are correct, then please provide an extract of your authz file that allows us to reproduce the exact problem you are seeing.