Modify

Opened 4 years ago

Closed 4 years ago

#6771 closed defect (fixed)

Plugin uses "assert" to check perms, which could go away with -O

Reported by: jkugler Owned by: rjollos
Priority: highest Component: TicketChangePlugin
Severity: critical Keywords:
Cc: Trac Release: 0.11

Description

On line 55 of web_ui.py (current svn), it says:

assert req.perm.has_permission('TICKET_ADMIN')

According to the Python docs, if a module is compiled with -O (or -OO), assert statements are discarded. See http://docs.python.org/reference/simple_stmts.html#the-assert-statement

Thus, if TicketChangePlugin is compiled with -O, there will be no permissions check in process_request(). While the buttons will not be displayed unless the TICKET_ADMIN permission exists, someone could do a direct post to the URL for editing the ticket.

Attachments (0)

Change History (2)

comment:1 Changed 4 years ago by rjollos

  • Owner changed from SergeiLuchko to rjollos
  • Status changed from new to assigned

Yes, this is an incorrect use of the Trac API.

comment:2 Changed 4 years ago by rjollos

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [9653]) Fixed incorrect use of Trac API in enforcement of permissions. Fixes #6771.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.