Defect #21136

Issues API may disclose changeset messages that are not visible

Added by Jan from Planio www.plan.io about 3 years ago. Updated about 3 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Issues
Target version:2.6.8
Resolution:Fixed Affected version:

Description

The check to include related changesets in the single issue API view currently is done against the project of the issue.

An issue can have related changesets from other projects, where the current user might not have the permission to see changesets. This leads to changeset messages being leaked to users without the permission to see those.

The attached patch (created by Felix Schäfer) uses the changesets passed by the controller instead of reimplementing logic in the view, thus sharing the same logic as the html view.

231789.patch Magnifier (3.16 KB) Jan from Planio www.plan.io, 2015-11-02 22:43

Associated revisions

Revision 14794
Added by Jean-Philippe Lang about 3 years ago

Fixed that Issues API may disclose changesets that are not visible (#21136).

History

#1 Updated by Jean-Philippe Lang about 3 years ago

  • Status changed from New to Resolved
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed

Thanks for reporting this. The fix is committed in r14794.
The :repositories fixtures were missing in the test, and adding them made the test fail (the user used in the test had actually access to the changeset).

#2 Updated by Jan from Planio www.plan.io about 3 years ago

Jean-Philippe Lang wrote:

The :repositories fixtures were missing in the test, and adding them made the test fail (the user used in the test had actually access to the changeset).

Thanks for committing this (and for pointing this out as well).

#3 Updated by Jean-Philippe Lang about 3 years ago

  • Project changed from Security to Redmine
  • Subject changed from Information leak in IssuesController#show API to Issues API may disclose changeset messages that are not visible
  • Category set to Issues
  • Status changed from Resolved to Closed
  • Target version set to 2.6.8
  • Private changed from No to Yes

#4 Updated by Jan from Planio www.plan.io about 3 years ago

  • Private changed from Yes to No

Making this public since fixes have been released already.

Also available in: Atom PDF