#1220 closed defect (fixed)
Security Hole in Fine Grain Permission
Reported by: | Richard Li | Owned by: | Christopher Lenz |
---|---|---|---|
Priority: | normal | Milestone: | 0.8.1 |
Component: | version control/changeset view | Version: | 0.8 |
Severity: | major | Keywords: | authz |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description (last modified by )
I discovered a security in fine grain permission. When browsing a Changeset with changes not authorized to access, the html based of the diff output is dropped, but one thing missing….
The availability to download the diff in other formats:
Unified Diff
breaks the protection to gain access to the unauthorized information.
Attachments (0)
Change History (7)
comment:1 by , 20 years ago
Severity: | normal → major |
---|
comment:2 by , 20 years ago
Component: | general → changeset view |
---|---|
Description: | modified (diff) |
comment:3 by , 20 years ago
Oh, yes, this is the case. I am using Trac 0.8 release and replaced the buggy authzperm.py with the newest one in the trunk.
comment:4 by , 20 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
Version: | devel → 0.8 |
This problem has been fixed in trunk some time ago, so it only applies to the 0.8-stable branch.
comment:5 by , 20 years ago
Keywords: | authz added |
---|---|
Resolution: | → fixed |
Status: | assigned → closed |
Are you saying that the unified diff actually contains the changes to files protected by authz? Looking at the code, I can't see how that is possible, but maybe I'm missing something.
Also, what version of Trac are you using? SVN trunk?