Ticket #951 (assigned defect)

Opened 2 years ago

Last modified 1 year ago

Any file in the file system can be accessed via the Doxygen plugin

Reported by: alastair@alastairsmith.me.uk Assigned to: cboos (accepted)
Priority: highest Component: DoxygenPlugin
Severity: blocker Keywords:
Cc: Trac Release: 0.10

Description

Similar to ticket #722, links to the DoxygenPlugin in wiki articles suffer the same issue of missing a trailing slash. I tried searching the Python source for a solution, but to no avail (I'm no Python coder!), and it only applies to pages that the plugin is unable to serve.

Additionally, I've found that in wiki links that are interpreted properly, the full filesystem location of the file to be served is present in the URL. Please can this be changed; after all, it doesn't happen if you visit the same pages by browsing through the links.

Attachments

Change History

11/30/06 05:20:29 changed by Blackhex

  • owner changed from Blackhex to cboos.

You obviously ment ticket #772. DoxygenPlugin is currently developed by cboos, so I'm reassigning this ticket to him. But IMHO it is duplicate and this information should be appended to #772.

11/30/06 05:57:07 changed by cboos

Ack, but unfortunately these days I've been too busy with Trac itself. Patches welcomed ;)

The DoxygenPlugin is now also getting higher on my TODO list as I want to migrate it to 0.11. Before that, I'll try to close existing issues.

12/28/06 08:34:25 changed by marko@karppinen.fi

  • priority changed from high to highest.
  • severity changed from major to blocker.
  • summary changed from Wrong link path in Wiki links and filesystem location of doc in URL to Any file in the file system can be accessed via the Doxygen plugin.

There is a *huge* security vulnerability in the "path" GET parameter described in this ticket.

You can replace the absolute path shown with, say, /etc/passwd and receive a copy of the that file.

02/16/07 02:55:44 changed by cboos

  • status changed from new to assigned.

#1212 also urges about this...

02/16/07 03:19:21 changed by cboos

r1983 should fix this, please test.

Problem is, that plugin really needs a rewrite, maybe I'll do it when porting to 0.11...

Add/Change #951 (Any file in the file system can be accessed via the Doxygen plugin)




Change Properties
Action