Opened 20 years ago
Closed 20 years ago
#1137 closed defect (fixed)
Possible Information Disclosure With Authz
| Reported by: | Owned by: | Christopher Lenz | |
|---|---|---|---|
| Priority: | normal | Milestone: | 0.9 |
| Component: | general | Version: | 0.8 |
| Severity: | normal | Keywords: | |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
When using the authz permission system to restrict access, privileged information may be accessible in the form of the files and log messages involved in changesets, and log messages in the browser. An example of such a situation is when a repository contains both private and public files: information about changes to the private files should not be available to unauthorised users.
Attachments (9)
Change History (15)
by , 20 years ago
| Attachment: | trac-authz-strict.patch added |
|---|
comment:1 by , 20 years ago
Note: the attached patch also fixes some inconsistent indentation in authzperm.py.
by , 20 years ago
| Attachment: | trac-authz-strict.2.patch added |
|---|
Updated patch. Moves _has_permission_for_changeset to AuthzPermission.has_permission_for_changeset.
comment:2 by , 20 years ago
Do we really need to add a new option for this? I.e. when would one want to use non-strict authz?
comment:3 by , 20 years ago
I believe someone on IRC mentioned the case where you want clients to be able to see what changes have occurred without being able to view the code (or similar).
comment:4 by , 20 years ago
The updated patch removes the strict option, with that being the default. It now raises a permission error when viewing a changeset that only contains files that we are not authorized to view. authzperm.AuthzPermissionError is now a subclass of perm.PermissionError, which is more logical and prevents the 'Internal Error' page when a permission error occurs.
by , 20 years ago
| Attachment: | trac-authz-strict.4.patch added |
|---|
Fix silly bug introduced by adding unneeded argument to AuthzPermissionError.init.
by , 20 years ago
| Attachment: | trac-authz-strict.5.patch added |
|---|
Modified patch so that denied changesets are not shown in the timeline
by , 20 years ago
| Attachment: | trac-authz-strict.6.patch added |
|---|
Another patch for the patch, last one was broken
by , 20 years ago
Updated to not display log messages for inaccessible directories in browser view.
by , 20 years ago
| Attachment: | trac-authz-strict.7.patch added |
|---|
Updated to not display log messages for inaccessible directories in browser view.
by , 20 years ago
| Attachment: | trac-authz-strict.8.patch added |
|---|
Update patch to filter changesets in search results and log view.
comment:5 by , 20 years ago
| Milestone: | → 0.9 |
|---|---|
| Owner: | changed from to |
| Status: | new → assigned |
comment:6 by , 20 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Patch applied in [1332]. Thanks!
Patch that adds an authz_strict option to the configuration file which hides sensitive information from unauthorised users when enabled.