Defect #35789
closed
Redmine is leaking usernames on activities index view
0%
Description
Redmine currently leaks usernames when the activities index view is requested with a user_id param that has a non-visible user_id argument.
The cause of this is that the @author instance variable in the activities controller is populated with the user having the user_id argument without doing a visible check (see source:/trunk/app/controllers/activities_controller.rb@21197#L36).
This issue has been present since Redmine 0.8 (where the user activities list feature was introduced, feature #1002) and exists up until now (trunk @ r21197). Though from 0.8 up to and including 2.6.x there wasn't an explicit setting to control user visibility. With 3.0.0 we got the user visibility feature from #11724, but this case wasn't modified to obey that particular setting.
I'll leave two (cumulative) patches with test coverage:- The first one is pretty simple. It just adds the visibility check and as a result, when the page is requested with an non-visible user, renders a 404 instantaneously. This relies on the fact that the controller already rescues
ActiveRecord::RecordNotFoundexceptions via source:/trunk/app/controllers/activities_controller.rb@21197#L83. - The second one changes the above given behavior a bit to work in a slightly more sophisticated manner. It wraps the
@authorpopulation in a block that rescues theActiveRecord::RecordNotFoundexception itself and populates@authorwith either the visible (and active) user ornilaccording to the result of the call toUser.visible.active.find(params[:user_id]). This way Redmine doesn't throw a 404 error immediately. Instead, it will respond with a sanitized activities index view when it is requested with auser_idparam with auser_idargument that is not visible.
FWIW: I have no particular preference for how this leakage gets resolved. I'd be ok with both the solutions I propose.
Please let me now if more information is needed.
Files
Updated by 
Updated by 
Updated by 
Updated by