Project

General

Profile

Actions
Copy link

Defect #18159

closed

Security issue when using local repositories

Added by Luciano Silveira about 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
High
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Duplicate
Affected version:

Description

Access to local repositories uses the system access rules. Since the system user used to run Redmine is unique, all local repositories must be accessible by this user. So, if a manager of one project knows the path to the repository of another project, he or she can configure a local repository for his/her own project using that path, obtaining reading access to that repository.

Related issues

Is duplicate of Redmine - Feature #10966: [SECURITY] Project Managers should not be able to choose an URL for a local repositoryClosed

Actions
Actions
Copy link

Also available in: Atom PDF