Modify

Opened 8 years ago

Closed 8 years ago

#5308 closed defect (duplicate)

Links to nonexistent tickets on Trac fail

Reported by: Mitar Owned by: obs
Priority: normal Component: SensitiveTicketsPlugin
Severity: normal Keywords:
Cc: Mitar, Anders Kaseorg Trac Release: 0.11

Description

Links to nonexistent tickets on wiki fail with this plugin enabled. For example TracLinks wiki page fails with Ticket 944 does not exist. error if there is no 944 ticket on a system.

Attachments (1)

sensitivetickets.patch (877 bytes) - added by Mitar 8 years ago.
patch

Download all attachments as: .zip

Change History (10)

Changed 8 years ago by Mitar

Attachment: sensitivetickets.patch added

patch

comment:1 Changed 8 years ago by Mitar

Summary: Links to nonexistent tickets on wiki failLinks to nonexistent tickets on Trac fail

I have made a patch for this bug.

And it is not just links on wiki but everywhere where it is possible to make links to tickets and Trac checks those links.

comment:2 Changed 8 years ago by obs

Owner: changed from Sebastian Benthall to obs

comment:3 Changed 8 years ago by Anders Kaseorg

Cc: Anders Kaseorg added

Hmm, I didn’t noticed this bug when I opened #7082. Please do not use this patch, as it opens a race condition where an unprivileged attacker may briefly have access to a sensitive ticket. Please use the patch in #7082 instead.

comment:4 Changed 8 years ago by Mitar

Can you please explain the race condition?

comment:5 Changed 8 years ago by Anders Kaseorg

This was part of my commit message:

(Allowing access to nonexistent tickets would lead to a dangerous race
condition when an attacker views a sensitive ticket just as it’s being
created.)

In particular, if a sensitive ticket is created between these two lines of trac.ticket.web_ui:

        req.perm('ticket', id, version).require('TICKET_VIEW')
        ticket = Ticket(self.env, id, version=version)

then the permission check will have succeeded and the ticket will be displayed to the attacker.

comment:6 Changed 8 years ago by Mitar

Resolution: fixed
Status: newclosed

Good catch.

comment:7 Changed 8 years ago by Mitar

Hm. But does not your patch prevent users without SENSITIVE_VIEW permission to open a ticket?

comment:8 in reply to:  7 Changed 8 years ago by anonymous

Resolution: fixed
Status: closedreopened

Replying to mitar:

Hm. But does not your patch prevent users without SENSITIVE_VIEW permission to open a ticket?

No, I just tested; users without SENSITIVE_VIEW permission are able to open a ticket just fine.

Now, if they open a _sensitive_ ticket, then they do not have permission to view the ticket they just opened, and they are mysteriously redirected back to the new ticket form with no indication that the ticket was successfully opened (even though it was). But that behavior is the same with your patch, my patch, or no patch. I’ll open a separate bug for that.

Also, since neither patch has been applied yet, I’m going to reopen this bug and resolve it as “duplicate”.

comment:9 Changed 8 years ago by Anders Kaseorg

Resolution: duplicate
Status: reopenedclosed

(Forgot to log in. That last comment was from me, of course.)

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain obs.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.