Changeset accessible even through authz_file is in use

[anonymous]

Since trac-0.10.2, changesets from private branches (access controlled through the authz_file directive) are now accessible to anonymous users. The timeline view is also affected. This sound like a severe security issue.

[Christopher Lenz]

Haven't tried to reproduce this, but if that is the case, yeah, it's serious.

[Christian Boos]

Well, it works for me. Can you provide more details, like what paths are now accessible and what is the corresponding authz_file (mangle user names and paths if the file is sensitive).

Also, make sure you have a fresh and clean 0.10.2 install. Create a new test env, use the same repository and the same authz_file. Can you reproduce the issue?

[anonymous]

I'm currently trying to gather more information concerning the problem. I'm now seeing that it also seem to impact the browser view. The svnpolicy file look like:

[/]
a = rw
b = rw
c = rw
*= r

[/trunk/projectA]
d = rw
e = rw

# more declaration skipped, here is the interesting bit:
[/branches/private]
a = rw
* =

[Christian Boos]

Oh, wait, yes, it seems that the Timeline shows me a changeset I shouldn't have access to. trunk is not affected but 0.10.2 is…

But trying to view this changeset or go the the path using the browser still raises the appropriate exception.

[Christian Boos]

Well, it seems that it's even worse with 0.10-stable… nothing gets protected there. You're using a patched 0.10.2, right?

[Christian Boos]

He, sure… The req.authname info was set after the pre_process_request …

[anonymous]

I patched to 0.10.3-dev, both Changeset view and Browser view are affected. From my testing, it seem like trac completly ignore any specification of the authz_file setting, even with a policy file as simple as:

[/]
* =

[Christian Boos]

Replying to anonymous:

I patched to 0.10.3-dev, …

Right, I should have guessed or you should have told me earlier ;)

Fixed in r4309.

[anonymous]

Thanks! I applied the diff, which fix the problem.