#5022 closed defect (fixed)
[patch] existing tickets are opened via /newticket URL
Reported by: | pkou at ua.fm | Owned by: | Christian Boos |
---|---|---|---|
Priority: | low | Milestone: | 0.11 |
Component: | ticket system | Version: | devel |
Severity: | minor | Keywords: | security |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
It is possible to open existing tickets using /newticket
URL.
Sample: http://tracsite/newticket?id=1
will open ticket #1
Possible fix:
-
web_ui.py
115 115 return True 116 116 117 117 def process_request(self, req): 118 if 'id' in req.args:118 if re.match(r'/ticket/([0-9]+)$', req.path_info) is not None: 119 119 return self._process_ticket_request(req) 120 120 return self._process_newticket_request(req)
Cf. with match_request
also.
Attachments (0)
Change History (7)
comment:1 by , 18 years ago
Milestone: | 0.11.1 → 0.11 |
---|---|
Owner: | changed from | to
comment:3 by , 17 years ago
Resolution: | fixed |
---|---|
Status: | closed → reopened |
I would rather see this redirect to the correct /ticket
page than just show an error. Thoughts?
follow-up: 5 comment:4 by , 17 years ago
I think redirects should rather be used for "normalizing" different valid URLs to the same canonical URL (like we do for a Wiki page with name ending with "/", for example).
Here (/newticket?id=1
) it's clearly an error and not an alternative "valid" URL for /ticket/1
.
comment:5 by , 17 years ago
Replying to cboos:
I think redirects should rather be used for "normalizing" different valid URLs to the same canonical URL (like we do for a Wiki page with name ending with "/", for example).
Here (
/newticket?id=1
) it's clearly an error and not an alternative "valid" URL for/ticket/1
.
I agree. Wouldn't really want users thinking /newticket?id=1
is at all valid. I could see that leading to bad things.
follow-up: 7 comment:6 by , 17 years ago
Resolution: | → fixed |
---|---|
Status: | reopened → closed |
Closing again, /newticket?id=1 is definitely a bogus URL and should be reported as such.
Now, we could eventually reconsider the problem and allow the creation of tickets with an explicit id if they don't exist, but that's a different issue and brings some new concerns (would work just fine for deleted tickets, but what about ids that have simply not yet been reached?).
comment:7 by , 17 years ago
Replying to cboos:
Closing again, /newticket?id=1 is definitely a bogus URL and should be reported as such.
I've reconsidered this after r6120,6122 made the issue go away: adding back the check and raising an error would only have made the code more complex and goes in the direction of strictly checking all the URL parameters, which I'm not sure is a good thing to do (thinking about extensions). So better ignore that extra id
since now it is harmless (see r6565).
A
req.path_info.startswith('/newticket/')
should also do.