Modify

Opened 4 years ago

Closed 4 years ago

#6771 closed defect (fixed)

Plugin uses "assert" to check perms, which could go away with -O

Reported by: jkugler Owned by: rjollos
Priority: highest Component: TicketChangePlugin
Severity: critical Keywords:
Cc: Trac Release: 0.11

Description

On line 55 of web_ui.py (current svn), it says:

assert req.perm.has_permission('TICKET_ADMIN')

According to the Python docs, if a module is compiled with -O (or -OO), assert statements are discarded. See http://docs.python.org/reference/simple_stmts.html#the-assert-statement

Thus, if TicketChangePlugin is compiled with -O, there will be no permissions check in process_request(). While the buttons will not be displayed unless the TICKET_ADMIN permission exists, someone could do a direct post to the URL for editing the ticket.

Attachments (0)

Change History (2)

comment:1 Changed 4 years ago by rjollos

  • Owner changed from SergeiLuchko to rjollos
  • Status changed from new to assigned

Yes, this is an incorrect use of the Trac API.

comment:2 Changed 4 years ago by rjollos

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [9653]) Fixed incorrect use of Trac API in enforcement of permissions. Fixes #6771.

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from rjollos. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.