Project

General

Profile

Actions

Defect #35789

closed

Redmine is leaking usernames on activities index view

Added by Mischa The Evil over 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
High
Category:
Security
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Redmine currently leaks usernames when the activities index view is requested with a user_id param that has a non-visible user_id argument.
The cause of this is that the @author instance variable in the activities controller is populated with the user having the user_id argument without doing a visible check (see source:/trunk/app/controllers/activities_controller.rb@21197#L36).

This issue has been present since Redmine 0.8 (where the user activities list feature was introduced, feature #1002) and exists up until now (trunk @ r21197). Though from 0.8 up to and including 2.6.x there wasn't an explicit setting to control user visibility. With 3.0.0 we got the user visibility feature from #11724, but this case wasn't modified to obey that particular setting.

I'll leave two (cumulative) patches with test coverage:
  • The first one is pretty simple. It just adds the visibility check and as a result, when the page is requested with an non-visible user, renders a 404 instantaneously. This relies on the fact that the controller already rescues ActiveRecord::RecordNotFound exceptions via source:/trunk/app/controllers/activities_controller.rb@21197#L83.
  • The second one changes the above given behavior a bit to work in a slightly more sophisticated manner. It wraps the @author population in a block that rescues the ActiveRecord::RecordNotFound exception itself and populates @author with either the visible (and active) user or nil according to the result of the call to User.visible.active.find(params[:user_id]). This way Redmine doesn't throw a 404 error immediately. Instead, it will respond with a sanitized activities index view when it is requested with a user_id param with a user_id argument that is not visible.

FWIW: I have no particular preference for how this leakage gets resolved. I'd be ok with both the solutions I propose.

Please let me now if more information is needed.


Files

Actions

Also available in: Atom PDF