Defect #18291

Path property security issue when adding filesystem repository

Added by Bahri Yardim almost 3 years ago. Updated almost 3 years ago.

Status:ClosedStart date:
Priority:UrgentDue date:
Assignee:-% Done:

0%

Category:Security
Target version:-
Resolution:Duplicate Affected version:

Description

When adding a filesystem repository, one can enter whatever he wants into "path" property. This can lead to security issues. For example i entered "/" as path to a redmine project and i was able to see and modify all of the server root (linux) in which the application runs. (Such behaviour can be replicated in windows hosts by entering "C:/" into path).

So a folder definition for all repositories must be set in a config file (not via admin panel because it must not be changed). So that whatever path is entered, the root path will be the one set in config file.

I think this is a serious security issue.

You can see screenshots for information.

1.png - Adding repo (11.4 KB) Bahri Yardim, 2014-11-06 10:20

2.png - Browsing root (33.3 KB) Bahri Yardim, 2014-11-06 10:20


Related issues

Duplicates Redmine - Feature #1415: Let system administrator limit repositories valid sources Closed 2008-06-09

History

#1 Updated by Go MAEDA almost 3 years ago

#2 Updated by Go MAEDA almost 3 years ago

  • Related to Feature #13038: Base path for filesystem repository adapter added

#3 Updated by Jean-Philippe Lang almost 3 years ago

  • Status changed from New to Closed
  • Resolution set to Duplicate

Closing as a dup of #1415 which is addressed for 3.0 by adding configuration settings to limit valid repository path.

#4 Updated by Jean-Philippe Lang almost 3 years ago

#5 Updated by Jean-Philippe Lang almost 3 years ago

  • Related to deleted (Feature #13038: Base path for filesystem repository adapter)

#6 Updated by Jean-Philippe Lang almost 3 years ago

  • Duplicates Feature #1415: Let system administrator limit repositories valid sources added

Also available in: Atom PDF