Defect #9567: Redmine.pm potential security issue with cache credential enabled and subversion - Redmine

Actions

Copy link

Defect #9567

closed

Redmine.pm potential security issue with cache credential enabled and subversion

Added by Guillaume Perréal about 13 years ago. Updated almost 13 years ago.

Status:

Closed

Priority:

High

Assignee:

Jean-Philippe Lang

Category:

SCM extra

Target version:

1.2.3

Start date:

2011-11-14

Due date:

% Done:

Estimated time:

Resolution:

Fixed

Affected version:

Description

Redmine.pm credential cache is based only on project, user and password, ignoring permissions (or at least read/write type). Credentials cached for reading can thus be reused for committing.

Simple test case:

ensure credential cache is enabled using "RedmineCacheCredsMax 50",
create a private project with Subversion SCM,
assign an user with role "reviewer" (he should have only :browse_repository permission),
check out the project,
modify a file,
commit.

Here is log excerpt (user bob is reviewer of project monprojet):

First attempt, we get an error 401, asking the user to authenticate for read method "OPTIONS":

192.168.56.1 - - [14/Nov/2011:20:32:27 +0100] "OPTIONS /svn/monprojet/trunk HTTP/1.1" 401 762 "-" "SVN/1.6.12 (r955767) neon/0.29.6"

Then the user successfully authenticates as bob, which is allowed read methods (OPTIONS and PROPFIND):

192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "OPTIONS /svn/monprojet/trunk HTTP/1.1" 200 870 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "PROPFIND /svn/monprojet/trunk HTTP/1.1" 207 856 "-" "SVN/1.6.12 (r955767) neon/0.29.6"

There comes the committing part, starting with MKACTIVITY, a write method:

192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "MKACTIVITY /svn/monprojet/!svn/act/7d5d2d10-22bb-429d-99d3-958c04a83f6c HTTP/1.1" 201 579 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "CHECKOUT /svn/monprojet/!svn/vcc/default HTTP/1.1" 201 595 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "PROPPATCH /svn/monprojet/!svn/wbl/7d5d2d10-22bb-429d-99d3-958c04a83f6c/3 HTTP/1.1" 207 625 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "PROPFIND /svn/monprojet/trunk HTTP/1.1" 207 564 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "CHECKOUT /svn/monprojet/!svn/ver/3/trunk HTTP/1.1" 201 603 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "PROPFIND /svn/monprojet/!svn/wrk/7d5d2d10-22bb-429d-99d3-958c04a83f6c/trunk/bla3 HTTP/1.1" 404 503 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "PROPFIND /svn/monprojet/trunk/bla3 HTTP/1.1" 404 457 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "PUT /svn/monprojet/!svn/wrk/7d5d2d10-22bb-429d-99d3-958c04a83f6c/trunk/bla3 HTTP/1.1" 201 602 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "MERGE /svn/monprojet/trunk HTTP/1.1" 200 1183 "-" "SVN/1.6.12 (r955767) neon/0.29.6" 
192.168.56.1 - bob [14/Nov/2011:20:32:35 +0100] "DELETE /svn/monprojet/!svn/act/7d5d2d10-22bb-429d-99d3-958c04a83f6c HTTP/1.1" 204 141 "-" "SVN/1.6.12 (r955767) neon/0.29.6"