Modify ↓
#1220 closed defect (fixed)
Security Hole in Fine Grain Permission
| Reported by: | Richard Li | Owned by: | Christopher Lenz |
|---|---|---|---|
| Priority: | normal | Milestone: | 0.8.1 |
| Component: | version control/changeset view | Version: | 0.8 |
| Severity: | major | Keywords: | authz |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description (last modified by )
I discovered a security in fine grain permission. When browsing a Changeset with changes not authorized to access, the html based of the diff output is dropped, but one thing missing….
The availability to download the diff in other formats:
Unified Diff
breaks the protection to gain access to the unauthorized information.
Attachments (0)
Change History (7)
comment:1 by , 21 years ago
| Severity: | normal → major |
|---|
comment:2 by , 21 years ago
| Component: | general → changeset view |
|---|---|
| Description: | modified (diff) |
comment:3 by , 21 years ago
Oh, yes, this is the case. I am using Trac 0.8 release and replaced the buggy authzperm.py with the newest one in the trunk.
comment:4 by , 21 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
| Version: | devel → 0.8 |
This problem has been fixed in trunk some time ago, so it only applies to the 0.8-stable branch.
comment:5 by , 21 years ago
| Keywords: | authz added |
|---|---|
| Resolution: | → fixed |
| Status: | assigned → closed |
comment:6 by , 21 years ago
Note:
See TracTickets
for help on using tickets.
Are you saying that the unified diff actually contains the changes to files protected by authz? Looking at the code, I can't see how that is possible, but maybe I'm missing something.
Also, what version of Trac are you using? SVN trunk?