Project

General

Profile

Actions
Copy link

Defect #18291

closed

Path property security issue when adding filesystem repository

Added by Bahri Yardim about 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Duplicate
Affected version:

Description

When adding a filesystem repository, one can enter whatever he wants into "path" property. This can lead to security issues. For example i entered "/" as path to a redmine project and i was able to see and modify all of the server root (linux) in which the application runs. (Such behaviour can be replicated in windows hosts by entering "C:/" into path).

So a folder definition for all repositories must be set in a config file (not via admin panel because it must not be changed). So that whatever path is entered, the root path will be the one set in config file.

I think this is a serious security issue.

You can see screenshots for information.

Files

Download all files
1.png (11.4 KB) 1.png Adding repo Bahri Yardim, 2014-11-06 10:20
2.png (33.3 KB) 2.png Browsing root Bahri Yardim, 2014-11-06 10:20

Related issues

Is duplicate of Redmine - Feature #1415: Let system administrator limit repositories valid sourcesClosedJean-Philippe Lang2008-06-09

Actions
Actions
Copy link

Also available in: Atom PDF