Opened 10 years ago

Closed 11 months ago

#951 closed defect (fixed)

Any file in the file system can be accessed via the Doxygen plugin

Reported by: alastair@… Owned by: cboos
Priority: highest Component: DoxygenPlugin
Severity: major Keywords:
Cc: Trac Release: 0.10


Similar to ticket #722, links to the DoxygenPlugin in wiki articles suffer the same issue of missing a trailing slash. I tried searching the Python source for a solution, but to no avail (I'm no Python coder!), and it only applies to pages that the plugin is unable to serve.

Additionally, I've found that in wiki links that are interpreted properly, the full filesystem location of the file to be served is present in the URL. Please can this be changed; after all, it doesn't happen if you visit the same pages by browsing through the links.

Attachments (0)

Change History (9)

comment:1 Changed 10 years ago by Blackhex

  • Owner changed from Blackhex to cboos

You obviously ment ticket #772. DoxygenPlugin is currently developed by cboos, so I'm reassigning this ticket to him. But IMHO it is duplicate and this information should be appended to #772.

comment:2 Changed 10 years ago by cboos

Ack, but unfortunately these days I've been too busy with Trac itself. Patches welcomed ;)

The DoxygenPlugin is now also getting higher on my TODO list as I want to migrate it to 0.11. Before that, I'll try to close existing issues.

comment:3 Changed 10 years ago by marko@…

  • Priority changed from high to highest
  • Severity changed from major to blocker
  • Summary changed from Wrong link path in Wiki links and filesystem location of doc in URL to Any file in the file system can be accessed via the Doxygen plugin

There is a *huge* security vulnerability in the "path" GET parameter described in this ticket.

You can replace the absolute path shown with, say, /etc/passwd and receive a copy of the that file.

comment:4 Changed 10 years ago by cboos

  • Status changed from new to assigned

#1212 also urges about this...

comment:5 Changed 10 years ago by cboos

r1983 should fix this, please test.

Problem is, that plugin really needs a rewrite, maybe I'll do it when porting to 0.11...

comment:6 Changed 8 years ago by anonymous

Update please. Is it fixed in 0.11?

comment:7 Changed 7 years ago by slick666

Looking for update to this. Is this not that serious of an issue?

comment:8 Changed 7 years ago by cboos

  • Severity changed from blocker to major

I never got a reply to comment:5 ... for me the issue was fixed.

So if someone has an issue with this plugin, he's welcome to contribute patches. After all, that's how I came up there, I wanted to use that plugin, realized it was not working as well as I expected, contributed a few patches for fixing several issues, and made some improvements like the 0.11 port. Anyone is welcomed to do the same.

comment:9 Changed 11 months ago by Committo-Ergo-Sum

  • Resolution set to fixed
  • Status changed from assigned to closed

In 15358:

DoxygenPlugin: new implementation of IRequestHandler methods. In particular, the "path" parameter in the query-string is droped. This fixes #772 #951 #962 #1564 and #2702 who complain about the security vulnerability it may contain, and other wrong path generations.

Add Comment

Modify Ticket

as closed The owner will remain cboos.
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.