Modify

Opened 7 years ago

Closed 3 years ago

#2296 closed defect (wontfix)

checking input before use

Reported by: lasse@… Owned by: coderanger
Priority: high Component: WikiRenamePlugin
Severity: critical Keywords: input checking
Cc: Trac Release: 0.10

Description

Sins rename_page function does not check the content of oldname and newname you can use this plugin to much more than just renaming wiki pages..

if you have "lost" your admin rights .. this would be a quick fix..

just rename a page
from: "blahblah'; INSERT INTO permission (username, action) VALUES ('lasse', 'TRAC_ADMIN');"
to: "blahblah2"

Some filtering should probably be done on the input..

Attachments (0)

Change History (3)

comment:1 follow-up: Changed 7 years ago by dagomez

Hi, I'm a bit puzzled because I tried to replicate the exploit but it doesn't seem to work in my local installation. That's supposed to be good but I'm still worried.

Traceback (most recent call last):

  File "C:\Python25\lib\site-packages\trac\web\main.py", line 406, in dispatch_request
    dispatcher.dispatch(req)
  File "C:\Python25\lib\site-packages\trac\web\main.py", line 237, in dispatch
    resp = chosen_handler.process_request(req)
  File "c:\desarrollo\wikirenameplugin\wikirename\web_ui.py", line 69, in process_request
    rename_page(self.env, src, dest, req.authname, req.remote_addr, debug=self.log.debug)
  File "c:\desarrollo\wikirenameplugin\wikirename\util.py", line 47, in rename_page
    cursor.execute(sql)
  File "C:\Python25\lib\site-packages\trac\db\util.py", line 51, in execute
    return self.cursor.execute(sql)
  File "C:\Python25\lib\site-packages\trac\db\sqlite_backend.py", line 56, in execute
    args or [])
  File "C:\Python25\lib\site-packages\trac\db\sqlite_backend.py", line 48, in _rollback_on_error
    return function(self, *args, **kwargs)
Warning: You can only execute one statement at a time.

comment:2 in reply to: ↑ 1 Changed 7 years ago by lasse@…

Replying to dagomez:

hmm .. well the last line states that it wont execute more than one statement at a time, so either this is specific to sqlite (I use MySQL) or you are using a different version of trac than me.

comment:3 Changed 3 years ago by rjollos

  • Resolution set to wontfix
  • Status changed from new to closed

0.10 version of the plugin is deprecated.

Add Comment

Modify Ticket

Action
as closed The owner will remain coderanger.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.