[Python-apps-team] Bug#667720: Dependency graph does not check ticket view permissions
Wichert Akkerman
wichert at wiggy.net
Fri Apr 6 08:02:21 UTC 2012
Package: trac-mastertickets
Severity: critical
The dependency graph view of a ticket does not do any permission checks.
This is a security problem on private trac sites since it creates a
channel through which sensitive information about tickets (existence,
dependencies and ticket titles) is revealed.
This has been reported upstream as well: both in the github issue
tracker (see https://github.com/coderanger/trac-mastertickets/issues/4 )
and in the trac-hacks issue tracker (see
https://trac-hacks.org/ticket/9944 ). I have also submitted this to
Ubuntu since they carry the same package:
https://bugs.launchpad.net/ubuntu/+source/trac-mastertickets/+bug/974909
Regards,
Wichert.
More information about the Python-apps-team
mailing list