Context Navigation

Modify ↓

#2702 closed defect (fixed)

path is leaking some sensitive infos

Reported by:	anonymous	Owned by:	Christian Boos
Priority:	normal	Component:	DoxygenPlugin
Severity:	normal	Keywords:
Cc:		Trac Release:	0.10

Description (last modified by Ryan J Ollos)

Hi,

I'm not sure what's the ?paht=/full/path/diclosure/bla.html good for.

In my opinion it's disclosing potentialy sensitive informations.

Cheers, /thorkill

--- simple fix

0.10/doxygentrac/doxygentrac.py

                               href=formatter.href.doxygen())
             else:
                 return html.a(label, title=params,
                               href=formatter.href.doxygen(link, path=path))
+                              href=formatter.href.doxygen(link))
         yield ('doxygen', doxygen_link)
     def get_wiki_syntax(self):

Attachments (0)

Change History (3)

comment:2 Changed 15 years ago by anonymous

Any plans to merge this in SVN?

comment:3 Changed 14 years ago by Ryan J Ollos

Description:	modified (diff)

comment:4 Changed 9 years ago by Committo-Ergo-Sum

Resolution:	→ fixed
Status:	new → closed

In 15358:

DoxygenPlugin: new implementation of IRequestHandler methods. In particular, the "path" parameter in the query-string is droped. This fixes #772 #951 #962 #1564 and #2702 who complain about the security vulnerability it may contain, and other wrong path generations.

Modify Ticket

Change Properties

Summary:
Type:	Priority:
Component:	Severity:
Keywords:	Cc:	Set your email in Preferences
Trac Release:

Action

leave as closed The owner will remain Christian Boos.

reopen The resolution will be deleted. Next status will be 'reopened'.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences.

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: