Modify

Opened 4 years ago

Last modified 4 years ago

#8491 new defect

No permission checking when requesting users

Reported by: osimons Owned by: hasienda
Priority: normal Component: CcSelectorPlugin
Severity: normal Keywords: permission email
Cc: Trac Release: 0.12

Description

Requests to /cc_selector will return emails of all users with ticket permissions, without checking any permission for the user actually requesting the data. At least TICKET_EDIT_CC permission should be required. This means:

  1. Checking permission before injecting the script in ticket pages
  2. Using req.perm.require('TICKET_EDIT_CC') in process_request()

BTW, having re.search('ticket', req.path_info) will catch a lot of unintended requests - including source code paths or wiki pages that may have 'ticket' in the name. Better would be to just check for template == 'ticket.html'.

Attachments (0)

Change History (6)

comment:1 Changed 4 years ago by rjollos

Same issue exists with AutocompleteUsersPlugin: #8438.

comment:2 follow-up: Changed 4 years ago by hasienda

  • Keywords permission email added

While thinking about this issue I notice, that using email address obfuscation as in Trac core would be desirable too, right? Mentioned here, just to keep this in mind.

comment:3 in reply to: ↑ 2 ; follow-up: Changed 4 years ago by osimons

Replying to hasienda:

While thinking about this issue I notice, that using email address obfuscation as in Trac core would be desirable too, right? Mentioned here, just to keep this in mind.

Sort of, yes. Although it is very difficult to send cc email to an obfuscated email addresses...

comment:4 in reply to: ↑ 3 ; follow-up: Changed 4 years ago by hasienda

Replying to osimons:

![...] Although it is very difficult to send cc email to an obfuscated email addresses...

Oh, not at all. This obfuscation happens only at the web-UI level. It's all about not exposing the full address to any user. Someone with EMAIL_VIEW and Trac itself has access to the full address, and therefor has no problem to send emails as well.

But certainly we should remove the convenient mailto: links too, if obfuscating emails, what might even serve as a better default for the majority of use cases.

comment:5 in reply to: ↑ 4 Changed 4 years ago by osimons

Replying to hasienda:

Oh, not at all. This obfuscation happens only at the web-UI level. It's all about not exposing the full address to any user.

Not quite true, and certainly not for me that like many others use email address for login. It is much like trac:ticket:9322 and the simple fact that such projects cannot enable restrict_owner and they should not enable this plugin. It is way to complex to make this obfuscation work for all and in all cases, so if anything it will just give a false sense of security.

But certainly we should remove the convenient mailto: links too, if obfuscating emails, what might even serve as a better default for the majority of use cases.

Yeah, sure. Can still do that of course, as if you don't have general email view permission the plugin should not be forthcoming with other information than username (that may be emails, but can't be helped).

That said, just requiring TICKET_EDIT_CC will make the popup and information unavailable for most users, that in public-facing projects would normally be restricted to just having a checkbox for CC anyway.

So, summary is to add a third task:

  1. Require EMAIL_VIEW to render explicit email information and mailto: links

As well as the already mentioned...:

  1. re.search('ticket', req.path_info) => template == 'ticket.html'

comment:6 Changed 4 years ago by osimons

Oh, BTW: When I come across issues I usually make an effort to provide a patch. However, I noticed this plugin is GPL licensed and as a matter of principle I do not touch GPL code...

Add Comment

Modify Ticket

Action
as new The owner will remain hasienda.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.