Opened 10 years ago

# data leakage between users

Reported by: Owned by: Brett Petr Škoda normal TracDownloaderPlugin major security 0.11

### Description

This is a periodic one and is probably only applicable to mod_python (and possibly FCGI) installations but all versions of trac.

Basically, when creating a DownloadData object, it initializes self.schema to the form_data.quest_form object. This is only a reference though. As the code sets values in self.schema, it is also setting them in the global form_data.quest_form. When a different user's request is handled by the same mod_python process, their form data is now prefilled with the data entered by the last user that was served by that process. Unfortunately, this can include sensitive information.

My solution was to import copy and then change the assignment in init to a deepcopy operation.

   self.schema = copy.deepcopy(form_data.quest_form)


### comment:1 Changed 10 years ago by Petr Škoda

Status: new → assigned

Thank you for help, I'll implement your fixes as soon as I have time to do so. Your solution i good. I was unable to identify source of this problem for long time.

Have a nice day! Peca