Edgewall Software
Modify

Opened 18 years ago

Closed 17 years ago

Last modified 17 years ago

#5022 closed defect (fixed)

[patch] existing tickets are opened via /newticket URL

Reported by: pkou at ua.fm Owned by: Christian Boos
Priority: low Milestone: 0.11
Component: ticket system Version: devel
Severity: minor Keywords: security
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

It is possible to open existing tickets using /newticket URL.

Sample: http://tracsite/newticket?id=1 will open ticket #1

Possible fix:

  • web_ui.py

     
    115115            return True
    116116
    117117    def process_request(self, req):
    118         if 'id' in req.args:
     118        if re.match(r'/ticket/([0-9]+)$', req.path_info) is not None:
    119119            return self._process_ticket_request(req)
    120120        return self._process_newticket_request(req)

Cf. with match_request also.

Attachments (0)

Change History (7)

comment:1 by Christian Boos, 18 years ago

Milestone: 0.11.10.11
Owner: changed from Jonas Borgström to Christian Boos

A req.path_info.startswith('/newticket/') should also do.

comment:2 by Christian Boos, 17 years ago

Resolution: fixed
Status: newclosed

Fixed in r6014.

comment:3 by Noah Kantrowitz, 17 years ago

Resolution: fixed
Status: closedreopened

I would rather see this redirect to the correct /ticket page than just show an error. Thoughts?

comment:4 by Christian Boos, 17 years ago

I think redirects should rather be used for "normalizing" different valid URLs to the same canonical URL (like we do for a Wiki page with name ending with "/", for example).

Here (/newticket?id=1) it's clearly an error and not an alternative "valid" URL for /ticket/1.

in reply to:  4 comment:5 by hyuga <hyugaricdeau@…>, 17 years ago

Replying to cboos:

I think redirects should rather be used for "normalizing" different valid URLs to the same canonical URL (like we do for a Wiki page with name ending with "/", for example).

Here (/newticket?id=1) it's clearly an error and not an alternative "valid" URL for /ticket/1.

I agree. Wouldn't really want users thinking /newticket?id=1 is at all valid. I could see that leading to bad things.

comment:6 by Christian Boos, 17 years ago

Resolution: fixed
Status: reopenedclosed

Closing again, /newticket?id=1 is definitely a bogus URL and should be reported as such.

Now, we could eventually reconsider the problem and allow the creation of tickets with an explicit id if they don't exist, but that's a different issue and brings some new concerns (would work just fine for deleted tickets, but what about ids that have simply not yet been reached?).

in reply to:  6 comment:7 by Christian Boos, 17 years ago

Replying to cboos:

Closing again, /newticket?id=1 is definitely a bogus URL and should be reported as such.

I've reconsidered this after r6120,6122 made the issue go away: adding back the check and raising an error would only have made the code more complex and goes in the direction of strictly checking all the URL parameters, which I'm not sure is a good thing to do (thinking about extensions). So better ignore that extra id since now it is harmless (see r6565).

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Christian Boos.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Christian Boos to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.