Modify

Opened 9 years ago

Closed 17 months ago

#2702 closed defect (fixed)

path is leaking some sensitive infos

Reported by: anonymous Owned by: Christian Boos
Priority: normal Component: DoxygenPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.10

Description (last modified by Ryan J Ollos)

Hi,

I'm not sure what's the ?paht=/full/path/diclosure/bla.html good for.

In my opinion it's disclosing potentialy sensitive informations.

Cheers, /thorkill

--- simple fix

  • 0.10/doxygentrac/doxygentrac.py

     
    237237                              href=formatter.href.doxygen())
    238238            else:
    239239                return html.a(label, title=params,
    240                               href=formatter.href.doxygen(link, path=path))
     240                              href=formatter.href.doxygen(link))
    241241        yield ('doxygen', doxygen_link)
    242242
    243243    def get_wiki_syntax(self):

Attachments (0)

Change History (3)

comment:2 Changed 8 years ago by anonymous

Any plans to merge this in SVN?

comment:3 Changed 7 years ago by Ryan J Ollos

Description: modified (diff)

comment:4 Changed 17 months ago by Committo-Ergo-Sum

Resolution: fixed
Status: newclosed

In 15358:

DoxygenPlugin: new implementation of IRequestHandler methods. In particular, the "path" parameter in the query-string is droped. This fixes #772 #951 #962 #1564 and #2702 who complain about the security vulnerability it may contain, and other wrong path generations.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Christian Boos.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.