Edgewall Software

Opened 13 years ago

Closed 13 years ago

Last modified 13 years ago

#7875 closed defect (invalid)

Security Hole in Trac 0.11

Reported by: anonymous Owned by:
Priority: normal Milestone:
Component: version control Version: 0.11
Severity: normal Keywords: security needinfo
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:


Users having FILE_VIEW and BROWSER_VIEW permissions have read access to the whole Subversion tree and can get any file, no matter if the AuthzSVNAccessFile file might be restricting them in the regular svn clients.

Trac must be able to restrict users/groups according to the grained permissions in the AuthzSVNAccessFile.

Attachments (0)

Change History (3)

comment:1 by osimons, 13 years ago

Keywords: needinfo added

I'm quite sure the feature works as it should, and suspect this is due to misconiguration at your end. Could you please check your settings for authz_file (and authz_module_name if you have more than one repos controlled by that file) - see TracIni#trac-section.

If the settings are correct, then please provide an extract of your authz file that allows us to reproduce the exact problem you are seeing.

comment:2 by anonymous, 13 years ago

Resolution: invalid
Status: newclosed

Thank you so much! I did what you explain and now it works as expected :)

comment:3 by Emmanuel Blot, 13 years ago

Milestone: 0.11.3
Priority: highestnormal
Severity: criticalnormal

(cleaning up milestone)

Modify Ticket

Change Properties
Set your email in Preferences
as closed The ticket will remain with no owner.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from (none) to the specified user.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.