Modify

Opened 12 years ago

Last modified 4 years ago

#9944 new defect

Dependency graph bypasses all ticket security

Reported by: Wichert Akkerman Owned by: Ryan J Ollos
Priority: highest Component: MasterTicketsPlugin
Severity: critical Keywords:
Cc: Mitar Trac Release: 0.12

Description

The dependency graph view of a ticket does not do any permission checks. This is a security problem on private trac sites since it creates a channel through which sensitive information about tickets (existence, dependencies and ticket titles) is revealed.

Attachments (0)

Change History (11)

comment:1 Changed 11 years ago by Ryan J Ollos

mitar has posted a patch. Closing ticket on GitHub as a duplicate.

  • mastertickets/web_ui.py

    diff -ur coderanger-trac-mastertickets-42b59b4/mastertickets/web_ui.py coderanger-trac-mastertickets-perms/mastertickets/web_ui.py
    old new  
    131131        return req.path_info.startswith('/depgraph')
    132132
    133133    def process_request(self, req):
     134       req.perm.require('TICKET_VIEW')
    134135        path_info = req.path_info[10:]
    135136
    136137        if not path_info:

comment:2 Changed 11 years ago by Ryan J Ollos

Cc: Mitar added; anonymous removed

comment:3 Changed 11 years ago by Mitar

Ha. Nice one. I completely missed this one. :-)

comment:4 Changed 11 years ago by Mitar

Hm, the links above are bad. I am not sure if this was my patch. I am also not sure if it addresses the thing correctly? It still just limits based on access to current ticket, not to dependencies. If I have access to current ticket but not to the dependency, I can still see the dependency in the graph, no?

comment:5 Changed 11 years ago by Ryan J Ollos

The GitHub repository is private now and development has been moved back to trac-hacks. It looks like the patch wasn't posted by you though, it was posted by tinus-github.

I think you are right, we need to check permissions of each dependency before deciding whether to include it in the graph (or at least, whether to include any information about it, such as the summary).

comment:6 Changed 11 years ago by anonymous

And you need to check if a user has TICKET_VIEW before you allow them to see anything at all...

comment:7 in reply to:  6 Changed 11 years ago by Ryan J Ollos

Replying to anonymous:

And you need to check if a user has TICKET_VIEW before you allow them to see anything at all...

You mean the patch from comment:1? It is a good first step, but it doesn't take care for TracFineGrainedPermissions.

comment:8 Changed 10 years ago by Ryan J Ollos

Owner: changed from Noah Kantrowitz to Ryan J Ollos
Status: newassigned

comment:9 Changed 4 years ago by Ryan J Ollos

In 17718:

TracMasterTickets 4.0.4dev: Require TICKET_VIEW

Refs #9944.

comment:10 Changed 4 years ago by Ryan J Ollos

Leaving ticket open for adding TracFineGrainedPermissions checks.

comment:11 Changed 4 years ago by Ryan J Ollos

Status: assignednew

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The owner will remain Ryan J Ollos.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.