Opened 14 years ago

Last modified 10 years ago

#2968 assigned defect

data leakage between users

Reported by: Brett Owned by: Petr Škoda
Priority: normal Component: TracDownloaderPlugin
Severity: major Keywords: security
Cc: Trac Release: 0.11


This is a periodic one and is probably only applicable to mod_python (and possibly FCGI) installations but all versions of trac.

Basically, when creating a DownloadData object, it initializes self.schema to the form_data.quest_form object. This is only a reference though. As the code sets values in self.schema, it is also setting them in the global form_data.quest_form. When a different user's request is handled by the same mod_python process, their form data is now prefilled with the data entered by the last user that was served by that process. Unfortunately, this can include sensitive information.

My solution was to import copy and then change the assignment in init to a deepcopy operation.

   self.schema = copy.deepcopy(form_data.quest_form)

Attachments (0)

Change History (2)

comment:1 Changed 14 years ago by Petr Škoda

Status: newassigned

Thank you for help, I'll implement your fixes as soon as I have time to do so. Your solution i good. I was unable to identify source of this problem for long time.

Have a nice day! Peca

comment:2 Changed 10 years ago by Ryan J Ollos

Keywords: security added

Modify Ticket

Change Properties
Set your email in Preferences
as assigned The owner will remain Petr Škoda.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.