Edgewall Software
Modify

Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#9778 closed defect (wontfix)

authz_policy matches pages in a case-sensitive manner

Reported by: kpeng@… Owned by:
Priority: normal Milestone:
Component: general Version: 0.12dev
Severity: normal Keywords: authz_policy
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

authz_policy got rolled into Trac mainline, so I'm filing a bug here, as opposed to at Trac Hacks.

I'm running Trac 0.11.6, but it doesn't look like the authz_policy plugin has changed int Trac 0.12. I noticed that the authz_policy matches the wiki page names using fnmatch, which matches in a case-sensitive manner. So if you block users from a test page like so:

[wiki:test]

the user cannot access wiki/test, but can still access the page using wiki/Test, wiki/tEst, wiki/tESt, etc. authz_policy should not use case-sensitive matching for something like this. My temporary patch is to do:

236    if fnmatch(resource_key.lower(), resource_glob.lower()):

and we retain the benefits of a filesystem-type match.

Attachments (0)

Change History (4)

in reply to:  description comment:1 by Remy Blank, 11 years ago

Resolution: wontfix
Status: newclosed

Replying to kpeng@…:

authz_policy should not use case-sensitive matching for something like this.

Why not? "test" and "Test" are two different pages, and they can exist at the same time. The case-sensitive match is by design here.

comment:2 by anonymous, 11 years ago

Something in our Trac set up treats test and Test as the same page. In the very least, I would think authz_policy needs to pick this up and respect that setting.

comment:3 by Remy Blank, 11 years ago

This sounds very much like a database mis-configuration. What database are you using? What are the encoding settings?

comment:4 by kpeng@…, 11 years ago

Ah, that's the problem, our MySQL was configured with the latin1 CHARSET.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The ticket will remain with no owner.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from (none) to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.