Modify

Opened 5 years ago

Closed 5 years ago

#5338 closed defect (fixed)

download plain text

Reported by: lucashr Owned by: frayja
Priority: highest Component: ProtectedMacro
Severity: critical Keywords:
Cc: Trac Release: 0.11

Description

the download in the plain text format allows the entire view, also the protected text. This is bad.

Attachments (2)

require_modify_permission.patch (2.0 KB) - added by miau 5 years ago.
add_format_check.patch (624 bytes) - added by miau 5 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 5 years ago by miau

The diff view shows protected text, too.

comment:2 Changed 5 years ago by miau

I wrote the patch to fix the problem.

It require WIKI_MODIFY permission to download the plain text or to show diff.

Changed 5 years ago by miau

comment:3 Changed 5 years ago by anonymous

I'm sorry for including some debugging codes. When you patch the file, remove those.

comment:4 Changed 5 years ago by frayja

Please correct me if I'm wrong here but...

You don't seem to search the content of the wiki page for the #!protected pattern. So this patch will effectively prohibit viewing the diff of -any- wiki page unless you have the WIKI_MODIFY permission.

Currently the WIKI_VIEW permission handles this behavior. Although I agree that a separate permission for viewing diffs would have been more appropriate. This, however, should be provided by trac since they also provide the WIKI_VIEW and WIKI_MODIFY permissions.

It is a good approach though. Could you modify the patch a bit to search for the different #!protected patterns and apply the associated PROTECTED_VIEW permission? This should keep the ProtectedMacro from interfering to much with the 'core' trac workings.

(I'll try to do it myself in the near future if I can find the time)

comment:5 Changed 5 years ago by frayja

  • Resolution set to fixed
  • Status changed from new to closed

This is now implemented using the mechanism supplied by miau (thanks!) and the strategy described in my previous reply.

comment:6 Changed 5 years ago by miau

  • Resolution fixed deleted
  • Status changed from closed to reopened

Thank you for implementing! But the format must be checked since the action will be "view" when you download a plain text. I'll attach a patch that fix the problem.

Changed 5 years ago by miau

comment:7 Changed 5 years ago by anonymous

  • Resolution set to fixed
  • Status changed from reopened to closed

Finally took the time (well it was only a few minutes) to apply the supplied patch.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.