Project

General

Profile

Actions

Defect #18291

closed

Path property security issue when adding filesystem repository

Added by Bahri Yardim over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Duplicate
Affected version:

Description

When adding a filesystem repository, one can enter whatever he wants into "path" property. This can lead to security issues. For example i entered "/" as path to a redmine project and i was able to see and modify all of the server root (linux) in which the application runs. (Such behaviour can be replicated in windows hosts by entering "C:/" into path).

So a folder definition for all repositories must be set in a config file (not via admin panel because it must not be changed). So that whatever path is entered, the root path will be the one set in config file.

I think this is a serious security issue.

You can see screenshots for information.


Files

1.png (11.4 KB) 1.png Adding repo Bahri Yardim, 2014-11-06 10:20
2.png (33.3 KB) 2.png Browsing root Bahri Yardim, 2014-11-06 10:20

Related issues

Is duplicate of Redmine - Feature #1415: Let system administrator limit repositories valid sourcesClosedJean-Philippe Lang2008-06-09

Actions
Actions #1

Updated by Go MAEDA over 9 years ago

Actions #2

Updated by Go MAEDA over 9 years ago

  • Related to Feature #13038: Base path for filesystem repository adapter added
Actions #3

Updated by Jean-Philippe Lang over 9 years ago

  • Status changed from New to Closed
  • Resolution set to Duplicate

Closing as a dup of #1415 which is addressed for 3.0 by adding configuration settings to limit valid repository path.

Actions #4

Updated by Jean-Philippe Lang over 9 years ago

Actions #5

Updated by Jean-Philippe Lang over 9 years ago

  • Related to deleted (Feature #13038: Base path for filesystem repository adapter)
Actions #6

Updated by Jean-Philippe Lang over 9 years ago

  • Is duplicate of Feature #1415: Let system administrator limit repositories valid sources added
Actions

Also available in: Atom PDF