Defect #31778: Total estimated time issue query column and issue field might leak information - Redmine

Defect #31778

Total estimated time issue query column and issue field might leak information

Added by Felix Schäfer 25 days ago. Updated 8 days ago.

Status:

Closed

Start date:

Priority:

Normal

Due date:

Assignee:

Go MAEDA

% Done:

Category:

Issues

Target version:

3.4.12

Resolution:

Affected version:

Description

The total estimated time information will show the sum of the estimated times of the issues and its subissues. This calculation does not verify if the current user is allowed to see the sub issues though, which might lead to an information leak.

Attached is a patch with a test for this issue. This patch was created and contributed by Gregor Schmidt.

0001-Limit-total_estimated_hours-to-visible-issues.patch (4.71 KB) Felix Schäfer, 2019-07-23 17:04

Associated revisions

Revision 18356
Added by Go MAEDA 10 days ago

Limit total_estimated_hours to visible issues (#31778).

Patch by Gregor Schmidt.

Revision 18359
Added by Go MAEDA 8 days ago

Merged r18356 from trunk to 4.0-stable (#31778).

Revision 18360
Added by Go MAEDA 8 days ago

Merged r18356 from trunk to 3.4-stable (#31778).

History

#1 Updated by Go MAEDA 24 days ago

Target version set to 4.0.5

Setting the target version to 4.0.5.

#2 Updated by Go MAEDA 10 days ago

Status changed from New to Resolved
Assignee set to Go MAEDA

Committed the fix. Thank you.

#3 Updated by Go MAEDA 8 days ago

Status changed from Resolved to Closed
Target version changed from 4.0.5 to 3.4.12

Also available in: Atom PDF

Redmine