Modify

Opened 5 years ago

Closed 4 years ago

#5308 closed defect (duplicate)

Links to nonexistent tickets on Trac fail

Reported by: mitar Owned by: obs
Priority: normal Component: SensitiveTicketsPlugin
Severity: normal Keywords:
Cc: mmitar@…, andersk@… Trac Release: 0.11

Description

Links to nonexistent tickets on wiki fail with this plugin enabled. For example TracLinks wiki page fails with Ticket 944 does not exist. error if there is no 944 ticket on a system.

Attachments (1)

sensitivetickets.patch (877 bytes) - added by mitar 5 years ago.
patch

Download all attachments as: .zip

Change History (10)

Changed 5 years ago by mitar

patch

comment:1 Changed 5 years ago by mitar

  • Summary changed from Links to nonexistent tickets on wiki fail to Links to nonexistent tickets on Trac fail

I have made a patch for this bug.

And it is not just links on wiki but everywhere where it is possible to make links to tickets and Trac checks those links.

comment:2 Changed 5 years ago by obs

  • Owner changed from sbenthall to obs

comment:3 Changed 4 years ago by andersk

  • Cc andersk@… added

Hmm, I didn’t noticed this bug when I opened #7082. Please do not use this patch, as it opens a race condition where an unprivileged attacker may briefly have access to a sensitive ticket. Please use the patch in #7082 instead.

comment:4 Changed 4 years ago by mitar

Can you please explain the race condition?

comment:5 Changed 4 years ago by andersk

This was part of my commit message:

(Allowing access to nonexistent tickets would lead to a dangerous race
condition when an attacker views a sensitive ticket just as it’s being
created.)

In particular, if a sensitive ticket is created between these two lines of trac.ticket.web_ui:

        req.perm('ticket', id, version).require('TICKET_VIEW')
        ticket = Ticket(self.env, id, version=version)

then the permission check will have succeeded and the ticket will be displayed to the attacker.

comment:6 Changed 4 years ago by mitar

  • Resolution set to fixed
  • Status changed from new to closed

Good catch.

comment:7 follow-up: Changed 4 years ago by mitar

Hm. But does not your patch prevent users without SENSITIVE_VIEW permission to open a ticket?

comment:8 in reply to: ↑ 7 Changed 4 years ago by anonymous

  • Resolution fixed deleted
  • Status changed from closed to reopened

Replying to mitar:

Hm. But does not your patch prevent users without SENSITIVE_VIEW permission to open a ticket?

No, I just tested; users without SENSITIVE_VIEW permission are able to open a ticket just fine.

Now, if they open a _sensitive_ ticket, then they do not have permission to view the ticket they just opened, and they are mysteriously redirected back to the new ticket form with no indication that the ticket was successfully opened (even though it was). But that behavior is the same with your patch, my patch, or no patch. I’ll open a separate bug for that.

Also, since neither patch has been applied yet, I’m going to reopen this bug and resolve it as “duplicate”.

comment:9 Changed 4 years ago by andersk

  • Resolution set to duplicate
  • Status changed from reopened to closed

(Forgot to log in. That last comment was from me, of course.)

Add Comment

Modify Ticket

Action
as closed The owner will remain obs.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.