Context Navigation

Modify ↓

#6771 closed defect (fixed)

Plugin uses "assert" to check perms, which could go away with -O

Reported by:	Joshua Kugler	Owned by:	Ryan J Ollos
Priority:	highest	Component:	TicketChangePlugin
Severity:	critical	Keywords:
Cc:		Trac Release:	0.11

Description

On line 55 of web_ui.py (current svn), it says:

assert req.perm.has_permission('TICKET_ADMIN')

According to the Python docs, if a module is compiled with -O (or -OO), assert statements are discarded. See http://docs.python.org/reference/simple_stmts.html#the-assert-statement

Thus, if TicketChangePlugin is compiled with -O, there will be no permissions check in process_request(). While the buttons will not be displayed unless the TICKET_ADMIN permission exists, someone could do a direct post to the URL for editing the ticket.

Attachments (0)

Change History (2)

comment:1 Changed 13 years ago by Ryan J Ollos

Owner:	changed from Sergei Luchko to Ryan J Ollos
Status:	new → assigned

Yes, this is an incorrect use of the Trac API.

comment:2 Changed 13 years ago by Ryan J Ollos

Resolution:	→ fixed
Status:	assigned → closed

(In [9653]) Fixed incorrect use of Trac API in enforcement of permissions. Fixes #6771.

Modify Ticket

Change Properties

Summary:
Type:	Priority:
Component:	Severity:
Keywords:	Cc:	Set your email in Preferences
Trac Release:

Action

leave as closed The owner will remain Ryan J Ollos.

reopen The resolution will be deleted. Next status will be 'reopened'.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences.

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: