Modify

Opened 8 years ago

Closed 7 years ago

#7082 closed defect (fixed)

[PATCH] Deny access to nonexistent tickets instead of throwing an exception

Reported by: Anders Kaseorg Owned by: obs
Priority: normal Component: SensitiveTicketsPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description

The SensitiveTickets plugin throws an “Invalid Ticket Number” exception not only when displaying nonexistent tickets, but also when displaying tickets that accidentally link to nonexistent tickets, e.g. because someone happened to write #999999 in a comment. Please apply the attached patch.

Attachments (1)

sensitivetickets-deny-nonexistent.patch (2.1 KB) - added by Anders Kaseorg 8 years ago.

Download all attachments as: .zip

Change History (5)

Changed 8 years ago by Anders Kaseorg

comment:1 Changed 8 years ago by Anders Kaseorg

Your Trac seems to discard the commit message from the patch, so I’ll reproduce it below in case you want to use it:

Deny access to nonexistent tickets instead of throwing an exception.

Previously, the SensitiveTickets plugin threw an “Invalid Ticket
Number” exception not only when displaying nonexistent tickets, but
also when displaying tickets that accidentally link to nonexistent
tickets, e.g. because someone happened to write #999999 in a comment.
Fix this by properly denying access to nonexistent tickets.

(Allowing access to nonexistent tickets would lead to a dangerous race
condition when an attacker views a sensitive ticket just as it’s being
created.)

Signed-off-by: Anders Kaseorg <andersk@mit.edu>

comment:2 Changed 8 years ago by Anders Kaseorg

Owner: changed from Sebastian Benthall to obs

comment:3 Changed 8 years ago by Anders Kaseorg

There’s some discussion about an alternative patch for the same problem on #5308. My patch is better because it isn’t vulnerable to the race condition (see #5308 for details), so I closed it as duplicate.

comment:4 Changed 7 years ago by obs

Resolution: fixed
Status: newclosed

(In [8233]) Deny access to nonexistent tickets instead of throwing an exception.

Thanks to Anders Kaseorg <andersk@mit.edu> for providing a patch

Fixes #7082

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain obs.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.