Context Navigation

Modify ↓

#7391 closed defect (wontfix)

renamed plugin disable commands in trac.ini [components] silently fail, a security issue

Reported by:	anonymous	Owned by:
Priority:	low	Milestone:
Component:	general	Version:	0.11
Severity:	trivial	Keywords:	security
Cc:		Branch:
Release Notes:
API Changes:
Internal Changes:

Description

On upgrading to trac 0.11, I found I had to rename:

   webadmin.plugin.pluginadminpage=disabled

trac.admin.web_ui.PluginAdminPanel=disabled

The problem here is that I found this by noticing that trac 0.11 was allowing uploads.

There was no complaint about the old disabled line not being relevant any more, and no upgrade documentation to warn that if we locked things down in webadmin we now need to rename the lines in the config file.

I think the lack of warning (in code or in documentation) is a security risk to people upgrading.

Attachments (0)

Change History (7)

comment:1 by anonymous, 16 years ago

Owner:	set to anonymous
Status:	new → assigned

ccc

comment:2 by Piotr Kuczynski <piotr.kuczynski@…>, 16 years ago

Component:	general → admin/web
Keywords:	security added
Milestone:	→ 0.11.1
Severity:	normal → critical
Version:	→ 0.11

comment:3 by Christian Boos, 16 years ago

Milestone:	0.11.2 → 0.11.3
Priority:	normal → low
Severity:	critical → major

Well, hm, I think it's a bit late to bother with upgrades from WebAdmin, but if someone contributes a patch, why not.

comment:4 by Remy Blank, 16 years ago

I have been tempted several times to just close this as wontfix. It's the site admin's job to check the site thoroughly after an upgrade, after all. At most, add a warning to the upgrade instructions for 0.11.

comment:5 by anonymous, 16 years ago

Component:	admin/web → general
Severity:	major → trivial
Status:	assigned → new

comment:6 by Remy Blank, 16 years ago

Milestone:	0.11.3
Resolution:	→ wontfix
Status:	new → closed

No patch contributed (comment:3), closing as wontfix.

comment:7 by Remy Blank, 16 years ago

Owner:	anonymous removed

Modify Ticket

Change Properties

Summary:
Description:	On upgrading to trac 0.11, I found I had to rename: {{{ webadmin.plugin.pluginadminpage=disabled }}} to {{{ trac.admin.web_ui.PluginAdminPanel=disabled }}} The problem here is that I found this by noticing that trac 0.11 was allowing uploads. There was no complaint about the old disabled line not being relevant any more, and no upgrade documentation to warn that if we locked things down in webadmin we now need to rename the lines in the config file. I think the lack of warning (in code or in documentation) is a security risk to people upgrading. You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as closed The ticket will remain with no owner.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from (none) to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: