Ticket #1212 (closed enhancement: duplicate)

Opened 2 years ago

Last modified 2 years ago

Security issue allowing to download files of the server running trac

Reported by: Daniel Werner Assigned to: Blackhex
Priority: highest Component: DoxygenPlugin
Severity: critical Keywords: security
Cc: Trac Release: 0.10

Description

By entering any path and a corresponding file after any of the html files generated by Doxygen in the following url:

http://tracServer/projects/oneProject/doxygen/html/index.html?path=%2fpath%2fto%2fa%2ffile

it allows to download this specified file which is a big security issue.

Attachments

Change History

02/16/07 02:55:01 changed by cboos

  • status changed from new to closed.
  • resolution set to duplicate.

Already reported in #951, yes I know, I'm really lousy with that one :(

A patch would help...

(follow-up: ↓ 3 ) 02/16/07 03:19:42 changed by cboos

Please check r1983.

(in reply to: ↑ 2 ) 02/16/07 09:33:23 changed by Daniel Werner <dan ... moesbar ... net>

Replying to cboos:

Please check r1983.

I tried this patch but it did not resolve the problem :-(

(follow-up: ↓ 7 ) 02/16/07 09:38:06 changed by cboos

Are you sure you cleared the web browser cache?

Try with another file (never downloaded so far), just to be sure.

02/16/07 11:41:54 changed by Daniel Werner <dan ... moesbar ... net>

arghl!.. can't test it right now! We will have to wait Monday ! :)

02/16/07 12:52:33 changed by Blackhex

I tryied that right now and it seems to be fixed :-).

(in reply to: ↑ 4 ; follow-up: ↓ 8 ) 02/19/07 05:08:15 changed by Daniel Werner <dwarf007 ... moesbar ... net>

Replying to cboos:

Are you sure you cleared the web browser cache? Try with another file (never downloaded so far), just to be sure.

Actually it did not solve the problem on my installation. I tried with a never downloaded file and I still could download it.. Dunno why!?

(in reply to: ↑ 7 ) 02/19/07 05:15:10 changed by Daniel Werner <dwarf007 ... moesbar ... net>

Replying to Daniel Werner <dwarf007 ... moesbar ... net>:

Actually it did not solve the problem on my installation. I tried with a never downloaded file and I still could download it.. Dunno why!?

sorry... I reinstalled it properly from the svn repository and it worked. Must have done something wrong the last time.

Add/Change #1212 (Security issue allowing to download files of the server running trac)




Change Properties
Action