Modify

Opened 10 years ago

Closed 5 years ago

#2296 closed defect (wontfix)

checking input before use

Reported by: lasse@… Owned by: Noah Kantrowitz
Priority: high Component: WikiRenamePlugin
Severity: critical Keywords: input checking
Cc: Trac Release: 0.10

Description

Sins rename_page function does not check the content of oldname and newname you can use this plugin to much more than just renaming wiki pages..

if you have "lost" your admin rights .. this would be a quick fix..

just rename a page
from: "blahblah'; INSERT INTO permission (username, action) VALUES ('lasse', 'TRAC_ADMIN');"
to: "blahblah2"

Some filtering should probably be done on the input..

Attachments (0)

Change History (3)

comment:1 Changed 10 years ago by dagomez

Hi, I'm a bit puzzled because I tried to replicate the exploit but it doesn't seem to work in my local installation. That's supposed to be good but I'm still worried.

Traceback (most recent call last):

  File "C:\Python25\lib\site-packages\trac\web\main.py", line 406, in dispatch_request
    dispatcher.dispatch(req)
  File "C:\Python25\lib\site-packages\trac\web\main.py", line 237, in dispatch
    resp = chosen_handler.process_request(req)
  File "c:\desarrollo\wikirenameplugin\wikirename\web_ui.py", line 69, in process_request
    rename_page(self.env, src, dest, req.authname, req.remote_addr, debug=self.log.debug)
  File "c:\desarrollo\wikirenameplugin\wikirename\util.py", line 47, in rename_page
    cursor.execute(sql)
  File "C:\Python25\lib\site-packages\trac\db\util.py", line 51, in execute
    return self.cursor.execute(sql)
  File "C:\Python25\lib\site-packages\trac\db\sqlite_backend.py", line 56, in execute
    args or [])
  File "C:\Python25\lib\site-packages\trac\db\sqlite_backend.py", line 48, in _rollback_on_error
    return function(self, *args, **kwargs)
Warning: You can only execute one statement at a time.

comment:2 in reply to:  1 Changed 9 years ago by lasse@…

Replying to dagomez:

hmm .. well the last line states that it wont execute more than one statement at a time, so either this is specific to sqlite (I use MySQL) or you are using a different version of trac than me.

comment:3 Changed 5 years ago by Ryan J Ollos

Resolution: wontfix
Status: newclosed

0.10 version of the plugin is deprecated.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Noah Kantrowitz.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.