Hi again, On Sun, Mar 08, 2009 at 03:01:36PM +0100, Sebastian Harl wrote: > Daniel Diniz discovered that EditCSVAction does not include appropriate > permission checks allowing any user to edit any item in a class she has > create / edit privileges for. This includes, amongst others, modifying > content of existing messages or issues, changing user settings or adding > roles to existing users which allows to gain admin privileges
The attached trivial patch disabled EditCSVAction altogether. Afaik,
this feature is useful for batch editing only and isn't used by any
other parts of the web-interface (however, features like "roundup-admin
import" might use it as well), so it should be an appropriate counter-
measure in most cases for now.
Cheers,
Sebastian
PS: This patch is against the roundup source tree. To apply it to your
local installation use something like:
cd /usr/share/pyshared
patch -p1 < bts518768-disable-editcsv.patch
--
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/
Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin
--- a/roundup/cgi/actions.py
+++ b/roundup/cgi/actions.py
@@ -277,6 +277,8 @@
removed lines are retired.
"""
+ self.client.error_message.append('EditCSVAction has been disabled for security reasons')
+ return
cl = self.db.classes[self.classname]
idlessprops = cl.getprops(protected=0).keys()
idlessprops.sort()
signature.asc
Description: Digital signature
