Defect #18291
closed
Path property security issue when adding filesystem repository
0%
Description
When adding a filesystem repository, one can enter whatever he wants into "path" property. This can lead to security issues. For example i entered "/" as path to a redmine project and i was able to see and modify all of the server root (linux) in which the application runs. (Such behaviour can be replicated in windows hosts by entering "C:/" into path).
So a folder definition for all repositories must be set in a config file (not via admin panel because it must not be changed). So that whatever path is entered, the root path will be the one set in config file.
I think this is a serious security issue.
You can see screenshots for information.
Files
Related issues
Updated by Go MAEDA about 10 years ago
- Related to Feature #17164: file:/// repository insecure added
Updated by Go MAEDA about 10 years ago
- Related to Feature #13038: Base path for filesystem repository adapter added
Updated by Jean-Philippe Lang about 10 years ago
- Status changed from New to Closed
- Resolution set to Duplicate
Closing as a dup of #1415 which is addressed for 3.0 by adding configuration settings to limit valid repository path.
Updated by Jean-Philippe Lang about 10 years ago
- Related to deleted (Feature #17164: file:/// repository insecure)
Updated by Jean-Philippe Lang about 10 years ago
- Related to deleted (Feature #13038: Base path for filesystem repository adapter)
Updated by Jean-Philippe Lang about 10 years ago
- Is duplicate of Feature #1415: Let system administrator limit repositories valid sources added