Opened 14 years ago

Closed 6 years ago

#2702 closed defect (fixed)

path is leaking some sensitive infos

Reported by: anonymous Owned by: Christian Boos
Priority: normal Component: DoxygenPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.10

Description (last modified by Ryan J Ollos)


I'm not sure what's the ?paht=/full/path/diclosure/bla.html good for.

In my opinion it's disclosing potentialy sensitive informations.

Cheers, /thorkill

--- simple fix

  • 0.10/doxygentrac/

    237237                              href=formatter.href.doxygen())
    238238            else:
    239239                return html.a(label, title=params,
    240                               href=formatter.href.doxygen(link, path=path))
     240                              href=formatter.href.doxygen(link))
    241241        yield ('doxygen', doxygen_link)
    243243    def get_wiki_syntax(self):

Attachments (0)

Change History (3)

comment:2 Changed 13 years ago by anonymous

Any plans to merge this in SVN?

comment:3 Changed 12 years ago by Ryan J Ollos

Description: modified (diff)

comment:4 Changed 6 years ago by Committo-Ergo-Sum

Resolution: fixed
Status: newclosed

In 15358:

DoxygenPlugin: new implementation of IRequestHandler methods. In particular, the "path" parameter in the query-string is droped. This fixes #772 #951 #962 #1564 and #2702 who complain about the security vulnerability it may contain, and other wrong path generations.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Christian Boos.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.