Opened 17 years ago
Last modified 13 years ago
#2968 assigned defect
data leakage between users
| Reported by: | Brett | Owned by: | Petr Škoda |
|---|---|---|---|
| Priority: | normal | Component: | TracDownloaderPlugin |
| Severity: | major | Keywords: | security |
| Cc: | Trac Release: | 0.11 |
Description
This is a periodic one and is probably only applicable to mod_python (and possibly FCGI) installations but all versions of trac.
Basically, when creating a DownloadData object, it initializes self.schema to the form_data.quest_form object. This is only a reference though. As the code sets values in self.schema, it is also setting them in the global form_data.quest_form. When a different user's request is handled by the same mod_python process, their form data is now prefilled with the data entered by the last user that was served by that process. Unfortunately, this can include sensitive information.
My solution was to import copy and then change the assignment in init to a deepcopy operation.
self.schema = copy.deepcopy(form_data.quest_form)
Attachments (0)
Change History (2)
comment:1 Changed 16 years ago by
| Status: | new → assigned |
|---|
comment:2 Changed 13 years ago by
| Keywords: | security added |
|---|
Thank you for help, I'll implement your fixes as soon as I have time to do so. Your solution i good. I was unable to identify source of this problem for long time.
Have a nice day! Peca