Opened 5 years ago

Closed 4 years ago

#5338 closed defect (fixed)

download plain text

Reported by: lucashr Owned by: frayja
Priority: highest Component: ProtectedMacro
Severity: critical Keywords:
Cc: Trac Release: 0.11


the download in the plain text format allows the entire view, also the protected text. This is bad.

Attachments (2)

require_modify_permission.patch (2.0 KB) - added by miau 5 years ago.
add_format_check.patch (624 bytes) - added by miau 5 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 5 years ago by miau

The diff view shows protected text, too.

comment:2 Changed 5 years ago by miau

I wrote the patch to fix the problem.

It require WIKI_MODIFY permission to download the plain text or to show diff.

Changed 5 years ago by miau

comment:3 Changed 5 years ago by anonymous

I'm sorry for including some debugging codes. When you patch the file, remove those.

comment:4 Changed 5 years ago by frayja

Please correct me if I'm wrong here but...

You don't seem to search the content of the wiki page for the #!protected pattern. So this patch will effectively prohibit viewing the diff of -any- wiki page unless you have the WIKI_MODIFY permission.

Currently the WIKI_VIEW permission handles this behavior. Although I agree that a separate permission for viewing diffs would have been more appropriate. This, however, should be provided by trac since they also provide the WIKI_VIEW and WIKI_MODIFY permissions.

It is a good approach though. Could you modify the patch a bit to search for the different #!protected patterns and apply the associated PROTECTED_VIEW permission? This should keep the ProtectedMacro from interfering to much with the 'core' trac workings.

(I'll try to do it myself in the near future if I can find the time)

comment:5 Changed 5 years ago by frayja

  • Resolution set to fixed
  • Status changed from new to closed

This is now implemented using the mechanism supplied by miau (thanks!) and the strategy described in my previous reply.

comment:6 Changed 5 years ago by miau

  • Resolution fixed deleted
  • Status changed from closed to reopened

Thank you for implementing! But the format must be checked since the action will be "view" when you download a plain text. I'll attach a patch that fix the problem.

Changed 5 years ago by miau

comment:7 Changed 4 years ago by anonymous

  • Resolution set to fixed
  • Status changed from reopened to closed

Finally took the time (well it was only a few minutes) to apply the supplied patch.

Add Comment

Modify Ticket

as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from frayja. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.