Opened 15 years ago
Closed 14 years ago
#5308 closed defect (duplicate)
Links to nonexistent tickets on Trac fail
Reported by: | Mitar | Owned by: | obs |
---|---|---|---|
Priority: | normal | Component: | SensitiveTicketsPlugin |
Severity: | normal | Keywords: | |
Cc: | Mitar, Anders Kaseorg | Trac Release: | 0.11 |
Description
Links to nonexistent tickets on wiki fail with this plugin enabled. For example TracLinks wiki page fails with Ticket 944 does not exist. error if there is no 944 ticket on a system.
Attachments (1)
Change History (10)
Changed 15 years ago by
Attachment: | sensitivetickets.patch added |
---|
comment:1 Changed 15 years ago by
Summary: | Links to nonexistent tickets on wiki fail → Links to nonexistent tickets on Trac fail |
---|
I have made a patch for this bug.
And it is not just links on wiki but everywhere where it is possible to make links to tickets and Trac checks those links.
comment:2 Changed 14 years ago by
Owner: | changed from Sebastian Benthall to obs |
---|
comment:3 Changed 14 years ago by
Cc: | Anders Kaseorg added |
---|
comment:5 Changed 14 years ago by
This was part of my commit message:
(Allowing access to nonexistent tickets would lead to a dangerous race condition when an attacker views a sensitive ticket just as it’s being created.)
In particular, if a sensitive ticket is created between these two lines of trac.ticket.web_ui:
req.perm('ticket', id, version).require('TICKET_VIEW') ticket = Ticket(self.env, id, version=version)
then the permission check will have succeeded and the ticket will be displayed to the attacker.
comment:7 follow-up: 8 Changed 14 years ago by
Hm. But does not your patch prevent users without SENSITIVE_VIEW
permission to open a ticket?
comment:8 Changed 14 years ago by
Resolution: | fixed |
---|---|
Status: | closed → reopened |
Replying to mitar:
Hm. But does not your patch prevent users without
SENSITIVE_VIEW
permission to open a ticket?
No, I just tested; users without SENSITIVE_VIEW
permission are able to open a ticket just fine.
Now, if they open a _sensitive_ ticket, then they do not have permission to view the ticket they just opened, and they are mysteriously redirected back to the new ticket form with no indication that the ticket was successfully opened (even though it was). But that behavior is the same with your patch, my patch, or no patch. I’ll open a separate bug for that.
Also, since neither patch has been applied yet, I’m going to reopen this bug and resolve it as “duplicate”.
comment:9 Changed 14 years ago by
Resolution: | → duplicate |
---|---|
Status: | reopened → closed |
(Forgot to log in. That last comment was from me, of course.)
patch