Project

General

Profile

Actions

Defect #21136

closed

Issues API may disclose changeset messages that are not visible

Added by Jan from Planio www.plan.io about 9 years ago. Updated about 9 years ago.

Status:
Closed
Priority:
Normal
Category:
Issues
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

The check to include related changesets in the single issue API view currently is done against the project of the issue.

An issue can have related changesets from other projects, where the current user might not have the permission to see changesets. This leads to changeset messages being leaked to users without the permission to see those.

The attached patch (created by Felix Schäfer) uses the changesets passed by the controller instead of reimplementing logic in the view, thus sharing the same logic as the html view.


Files

231789.patch (3.16 KB) 231789.patch Jan from Planio www.plan.io, 2015-11-02 22:43
Actions #1

Updated by Jean-Philippe Lang about 9 years ago

  • Status changed from New to Resolved
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed

Thanks for reporting this. The fix is committed in r14794.
The :repositories fixtures were missing in the test, and adding them made the test fail (the user used in the test had actually access to the changeset).

Actions #2

Updated by Jan from Planio www.plan.io about 9 years ago

Jean-Philippe Lang wrote:

The :repositories fixtures were missing in the test, and adding them made the test fail (the user used in the test had actually access to the changeset).

Thanks for committing this (and for pointing this out as well).

Actions #3

Updated by Jean-Philippe Lang about 9 years ago

  • Project changed from 2 to Redmine
  • Subject changed from Information leak in IssuesController#show API to Issues API may disclose changeset messages that are not visible
  • Category set to Issues
  • Status changed from Resolved to Closed
  • Target version set to 2.6.8
  • Private changed from No to Yes
Actions #4

Updated by Jan from Planio www.plan.io about 9 years ago

  • Private changed from Yes to No

Making this public since fixes have been released already.

Actions

Also available in: Atom PDF