Modify ↓
Opened 19 years ago
Closed 18 years ago
#2147 closed defect (fixed)
Settings -> changing SID is not protected against index collision
| Reported by: | Owned by: | Jonas Borgström | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | general | Version: | 0.9b1 |
| Severity: | major | Keywords: | sid index collision |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
Using the settings form, any anonymous user has the possibility to customize a SID string instead o using the provided random key. The code update is not protected against a sid already existing condition. Since authenticated users usually have sid=name, is fairly easy for anyone to drive the application into unexpected failure.
Verified against Trac 0.9b1 with PostgreSQL backend.
Attachments (0)
Change History (2)
comment:1 by , 18 years ago
| Milestone: | → 0.12 |
|---|
comment:2 by , 18 years ago
| Milestone: | 0.12 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Well, I verified this, and currently when trying to enter an already taken sid, Trac produces the following error:
Session "test" already exists. Please choose a different session ID.
So I think that the SID is now protected against index collision.
As I couldn't figure out which change since 0.9b1 implemented this, I leave the milestone field blank.
Note:
See TracTickets
for help on using tickets.
Might be considered for milestone:0.12