Modify

Opened 4 years ago

Closed 4 years ago

#7082 closed defect (fixed)

[PATCH] Deny access to nonexistent tickets instead of throwing an exception

Reported by: andersk Owned by: obs
Priority: normal Component: SensitiveTicketsPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description

The SensitiveTickets plugin throws an “Invalid Ticket Number” exception not only when displaying nonexistent tickets, but also when displaying tickets that accidentally link to nonexistent tickets, e.g. because someone happened to write #999999 in a comment. Please apply the attached patch.

Attachments (1)

sensitivetickets-deny-nonexistent.patch (2.1 KB) - added by andersk 4 years ago.

Download all attachments as: .zip

Change History (5)

Changed 4 years ago by andersk

comment:1 Changed 4 years ago by andersk

Your Trac seems to discard the commit message from the patch, so I’ll reproduce it below in case you want to use it:

Deny access to nonexistent tickets instead of throwing an exception.

Previously, the SensitiveTickets plugin threw an “Invalid Ticket
Number” exception not only when displaying nonexistent tickets, but
also when displaying tickets that accidentally link to nonexistent
tickets, e.g. because someone happened to write #999999 in a comment.
Fix this by properly denying access to nonexistent tickets.

(Allowing access to nonexistent tickets would lead to a dangerous race
condition when an attacker views a sensitive ticket just as it’s being
created.)

Signed-off-by: Anders Kaseorg <andersk@mit.edu>

comment:2 Changed 4 years ago by andersk

  • Owner changed from sbenthall to obs

comment:3 Changed 4 years ago by andersk

There’s some discussion about an alternative patch for the same problem on #5308. My patch is better because it isn’t vulnerable to the race condition (see #5308 for details), so I closed it as duplicate.

comment:4 Changed 4 years ago by obs

  • Resolution set to fixed
  • Status changed from new to closed

(In [8233]) Deny access to nonexistent tickets instead of throwing an exception.

Thanks to Anders Kaseorg <andersk@mit.edu> for providing a patch

Fixes #7082

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.