Modify

Opened 7 years ago

Closed 7 years ago

#6771 closed defect (fixed)

Plugin uses "assert" to check perms, which could go away with -O

Reported by: Joshua Kugler Owned by: Ryan J Ollos
Priority: highest Component: TicketChangePlugin
Severity: critical Keywords:
Cc: Trac Release: 0.11

Description

On line 55 of web_ui.py (current svn), it says:

assert req.perm.has_permission('TICKET_ADMIN')

According to the Python docs, if a module is compiled with -O (or -OO), assert statements are discarded. See http://docs.python.org/reference/simple_stmts.html#the-assert-statement

Thus, if TicketChangePlugin is compiled with -O, there will be no permissions check in process_request(). While the buttons will not be displayed unless the TICKET_ADMIN permission exists, someone could do a direct post to the URL for editing the ticket.

Attachments (0)

Change History (2)

comment:1 Changed 7 years ago by Ryan J Ollos

Owner: changed from Sergei Luchko to Ryan J Ollos
Status: newassigned

Yes, this is an incorrect use of the Trac API.

comment:2 Changed 7 years ago by Ryan J Ollos

Resolution: fixed
Status: assignedclosed

(In [9653]) Fixed incorrect use of Trac API in enforcement of permissions. Fixes #6771.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.