Opened 8 years ago

Closed 8 years ago

#7082 closed defect (fixed)

Reported by: Owned by: Anders Kaseorg obs normal SensitiveTicketsPlugin normal 0.11

Description

The SensitiveTickets plugin throws an “Invalid Ticket Number” exception not only when displaying nonexistent tickets, but also when displaying tickets that accidentally link to nonexistent tickets, e.g. because someone happened to write #999999 in a comment. Please apply the attached patch.

comment:1 Changed 8 years ago by Anders Kaseorg

Your Trac seems to discard the commit message from the patch, so I’ll reproduce it below in case you want to use it:

Deny access to nonexistent tickets instead of throwing an exception.

Previously, the SensitiveTickets plugin threw an “Invalid Ticket
Number” exception not only when displaying nonexistent tickets, but
also when displaying tickets that accidentally link to nonexistent
tickets, e.g. because someone happened to write #999999 in a comment.

condition when an attacker views a sensitive ticket just as it’s being
created.)

Signed-off-by: Anders Kaseorg <andersk@mit.edu>


comment:2 Changed 8 years ago by Anders Kaseorg

Owner: changed from Sebastian Benthall to obs

comment:3 Changed 8 years ago by Anders Kaseorg

There’s some discussion about an alternative patch for the same problem on #5308. My patch is better because it isn’t vulnerable to the race condition (see #5308 for details), so I closed it as duplicate.

comment:4 Changed 8 years ago by obs

Resolution: → fixed new → closed

Thanks to Anders Kaseorg <andersk@mit.edu> for providing a patch

Fixes #7082

Modify Ticket

Change Properties