Context Navigation

Modify ↓

#4240 closed defect (fixed)

Data disclosure issue with attachments

Reported by:	Noah Kantrowitz (coderanger) <coderanger@…>	Owned by:	Christian Boos
Priority:	high	Milestone:	0.11
Component:	general	Version:	0.10
Severity:	critical	Keywords:	security attachment
Cc:		Branch:
Release Notes:
API Changes:
Internal Changes:

Description

AttachmentModule._render_list does not check for the TICKET_VIEW or WIKI_VIEW permissions. This means any user can see the list of attachments on any wiki page or ticket, though they cannot access those attachments without the needed permissions. This is present both in 0.10 and trunk.

Attachments (0)

Change History (3)

comment:1 by Christian Boos, 19 years ago

Owner:	changed from Jonas Borgström to Christian Boos

comment:2 by Christian Boos, 19 years ago

See r4700.

comment:3 by Christian Boos, 19 years ago

Resolution:	→ fixed
Status:	new → closed

This is fixed in trunk, as the permission check for each attachment is now done in the list_of_attachments macro.

Modify Ticket

Change Properties

Summary:
Description:	`AttachmentModule._render_list` does not check for the `TICKET_VIEW` or `WIKI_VIEW` permissions. This means any user can see the list of attachments on any wiki page or ticket, though they cannot access those attachments without the needed permissions. This is present both in 0.10 and trunk. You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as closed The owner will remain Christian Boos.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from Christian Boos to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: