Edgewall Software

Opened 17 years ago

Closed 17 years ago

Last modified 17 years ago

#1220 closed defect (fixed)

Security Hole in Fine Grain Permission

Reported by: Richard Li Owned by: Christopher Lenz
Priority: normal Milestone: 0.8.1
Component: version control/changeset view Version: 0.8
Severity: major Keywords: authz
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Christopher Lenz)

I discovered a security in fine grain permission. When browsing a Changeset with changes not authorized to access, the html based of the diff output is dropped, but one thing missing….

The availability to download the diff in other formats:

Unified Diff

breaks the protection to gain access to the unauthorized information.

Attachments (0)

Change History (7)

comment:1 by Mark Rowe <edgewall.com@…>, 17 years ago

Severity: normalmajor

comment:2 by Christopher Lenz, 17 years ago

Component: generalchangeset view
Description: modified (diff)

Are you saying that the unified diff actually contains the changes to files protected by authz? Looking at the code, I can't see how that is possible, but maybe I'm missing something.

Also, what version of Trac are you using? SVN trunk?

comment:3 by Richard Li, 17 years ago

Oh, yes, this is the case. I am using Trac 0.8 release and replaced the buggy authzperm.py with the newest one in the trunk.

comment:4 by Christopher Lenz, 17 years ago

Owner: changed from Jonas Borgström to Christopher Lenz
Status: newassigned
Version: devel0.8

This problem has been fixed in trunk some time ago, so it only applies to the 0.8-stable branch.

comment:5 by Christopher Lenz, 17 years ago

Keywords: authz added
Resolution: fixed
Status: assignedclosed

Fixed in [1269]. You'll also need [1270] if you're using Python 2.1.

comment:6 by Richard Li, 17 years ago

Finally, I get the sources from 0.8-stable branch and merge the authzperm.py from [1184] back to replace the one in [967]. It is working alright in this way.

Will you update the authzperm.py in 0.8-stable to [1184] before releasing 0.8.1?

comment:7 by Christopher Lenz, 17 years ago

Done in [1274]. Thanks for the reminder.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Christopher Lenz.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Christopher Lenz to the specified user.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.