Modify

Opened 6 years ago

Last modified 2 years ago

#2968 assigned defect

data leakage between users

Reported by: Brett Owned by: peca
Priority: normal Component: TracDownloaderPlugin
Severity: major Keywords: security
Cc: Trac Release: 0.11

Description

This is a periodic one and is probably only applicable to mod_python (and possibly FCGI) installations but all versions of trac.

Basically, when creating a DownloadData object, it initializes self.schema to the form_data.quest_form object. This is only a reference though. As the code sets values in self.schema, it is also setting them in the global form_data.quest_form. When a different user's request is handled by the same mod_python process, their form data is now prefilled with the data entered by the last user that was served by that process. Unfortunately, this can include sensitive information.

My solution was to import copy and then change the assignment in init to a deepcopy operation.

   self.schema = copy.deepcopy(form_data.quest_form)

Attachments (0)

Change History (2)

comment:1 Changed 6 years ago by peca

  • Status changed from new to assigned

Thank you for help, I'll implement your fixes as soon as I have time to do so. Your solution i good. I was unable to identify source of this problem for long time.

Have a nice day!
Peca

comment:2 Changed 2 years ago by rjollos

  • Keywords security added

Add Comment

Modify Ticket

Action
as assigned .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.