Modify

Opened 2 years ago

Last modified 8 months ago

#9944 assigned defect

Dependency graph bypasses all ticket security

Reported by: wichert Owned by: rjollos
Priority: highest Component: MasterTicketsPlugin
Severity: critical Keywords:
Cc: mitar Trac Release: 0.12

Description

The dependency graph view of a ticket does not do any permission checks. This is a security problem on private trac sites since it creates a channel through which sensitive information about tickets (existence, dependencies and ticket titles) is revealed.

Attachments (0)

Change History (8)

comment:1 Changed 17 months ago by rjollos

mitar has posted a patch. Closing ticket on GitHub as a duplicate.

  • mastertickets/web_ui.py

    diff -ur coderanger-trac-mastertickets-42b59b4/mastertickets/web_ui.py coderanger-trac-mastertickets-perms/mastertickets/web_ui.py
    old new  
    131131        return req.path_info.startswith('/depgraph') 
    132132 
    133133    def process_request(self, req): 
     134       req.perm.require('TICKET_VIEW') 
    134135        path_info = req.path_info[10:] 
    135136 
    136137        if not path_info: 

comment:2 Changed 17 months ago by rjollos

  • Cc mitar added

comment:3 Changed 16 months ago by mitar

Ha. Nice one. I completely missed this one. :-)

comment:4 Changed 16 months ago by mitar

Hm, the links above are bad. I am not sure if this was my patch. I am also not sure if it addresses the thing correctly? It still just limits based on access to current ticket, not to dependencies. If I have access to current ticket but not to the dependency, I can still see the dependency in the graph, no?

comment:5 Changed 16 months ago by rjollos

The GitHub repository is private now and development has been moved back to trac-hacks. It looks like the patch wasn't posted by you though, it was posted by tinus-github.

I think you are right, we need to check permissions of each dependency before deciding whether to include it in the graph (or at least, whether to include any information about it, such as the summary).

comment:6 follow-up: Changed 14 months ago by anonymous

And you need to check if a user has TICKET_VIEW before you allow them to see anything at all...

comment:7 in reply to: ↑ 6 Changed 14 months ago by rjollos

Replying to anonymous:

And you need to check if a user has TICKET_VIEW before you allow them to see anything at all...

You mean the patch from comment:1? It is a good first step, but it doesn't take care for TracFineGrainedPermissions.

comment:8 Changed 8 months ago by rjollos

  • Owner changed from coderanger to rjollos
  • Status changed from new to assigned

Add Comment

Modify Ticket

Action
as assigned .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.