Actions
Defect #9567
closedRedmine.pm potential security issue with cache credential enabled and subversion
Start date:
2011-11-14
Due date:
% Done:
0%
Estimated time:
Resolution:
Fixed
Affected version:
Description
Redmine.pm credential cache is based only on project, user and password, ignoring permissions (or at least read/write type). Credentials cached for reading can thus be reused for committing.
Simple test case:- ensure credential cache is enabled using "RedmineCacheCredsMax 50",
- create a private project with Subversion SCM,
- assign an user with role "reviewer" (he should have only :browse_repository permission),
- check out the project,
- modify a file,
- commit.
Here is log excerpt (user bob is reviewer of project monprojet):
First attempt, we get an error 401, asking the user to authenticate for read method "OPTIONS":
192.168.56.1 - - [14/Nov/2011:20:32:27 +0100] "OPTIONS /svn/monprojet/trunk HTTP/1.1" 401 762 "-" "SVN/1.6.12 (r955767) neon/0.29.6"
Then the user successfully authenticates as bob, which is allowed read methods (OPTIONS and PROPFIND):
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "OPTIONS /svn/monprojet/trunk HTTP/1.1" 200 870 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "PROPFIND /svn/monprojet/trunk HTTP/1.1" 207 856 "-" "SVN/1.6.12 (r955767) neon/0.29.6"
There comes the committing part, starting with MKACTIVITY, a write method:
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "MKACTIVITY /svn/monprojet/!svn/act/7d5d2d10-22bb-429d-99d3-958c04a83f6c HTTP/1.1" 201 579 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "CHECKOUT /svn/monprojet/!svn/vcc/default HTTP/1.1" 201 595 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "PROPPATCH /svn/monprojet/!svn/wbl/7d5d2d10-22bb-429d-99d3-958c04a83f6c/3 HTTP/1.1" 207 625 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "PROPFIND /svn/monprojet/trunk HTTP/1.1" 207 564 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "CHECKOUT /svn/monprojet/!svn/ver/3/trunk HTTP/1.1" 201 603 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "PROPFIND /svn/monprojet/!svn/wrk/7d5d2d10-22bb-429d-99d3-958c04a83f6c/trunk/bla3 HTTP/1.1" 404 503 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "PROPFIND /svn/monprojet/trunk/bla3 HTTP/1.1" 404 457 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "PUT /svn/monprojet/!svn/wrk/7d5d2d10-22bb-429d-99d3-958c04a83f6c/trunk/bla3 HTTP/1.1" 201 602 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "MERGE /svn/monprojet/trunk HTTP/1.1" 200 1183 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "DELETE /svn/monprojet/!svn/act/7d5d2d10-22bb-429d-99d3-958c04a83f6c HTTP/1.1" 204 141 "-" "SVN/1.6.12 (r955767) neon/0.29.6"
Updated by Jean-Philippe Lang almost 13 years ago
- Status changed from New to Confirmed
Yes, RedmineCacheCredsMax
should be disabled for now.
Updated by Jean-Philippe Lang almost 13 years ago
- Status changed from Confirmed to Resolved
- Assignee set to Jean-Philippe Lang
- Resolution set to Fixed
This should be fixed in r7809. Can you confirm?
Updated by Guillaume Perréal almost 13 years ago
Confirmed. It indeed denies MKACTIVITY in this test case.
Actions