Ticket #8438 (new enhancement)

Opened 2 years ago

Last modified 2 months ago

Hiding /users from authenticated users

Reported by: abrightwell Assigned to: rjollos
Priority: normal Component: AutocompleteUsersPlugin
Severity: major Keywords:
Cc: mitar Trac Release: 0.11

Description

Currently /users is exposed to the world. Therefore, exposing usernames to anyone whether authenticated or not. This seems like it would be quite the "security" issue for privately hosted/managed trac instances.

Perhaps checking the request for an 'authenticated' setting/flag and appropriately redirecting to the default "forbidden" page if necessary would be the proper approach?

Attachments

Change History

01/26/11 09:21:18 changed by rjollos

  • priority changed from highest to normal.
  • severity changed from critical to major.

I'm aware of this issue, but won't have time to fix it for a little while. Patch welcome.

03/27/13 12:33:35 changed by mitar

  • cc set to mitar.

Some time ago I implemented some fixes to this in my branch. See this commit. I think it adequately addresses the security while user experience stays the same.

03/27/13 23:34:07 changed by rjollos

Thanks! I wasn't sure how to solve this one, so I'm happy to see that you've done that. I will pull those changes in along with the work in #9599.

Add/Change #8438 (Hiding /users from authenticated users)




Change Properties
Action