Christopher Lenz wrote: > On 13.12.2007, at 11:37, Noah Kantrowitz wrote: > >> A possible security issue exists with pooled SQLite connection and the >> ATTACH/DETACH statements. >> > > What exactly is the security issue here? >
You can gain access to an arbitrary database on the server from a Trac report, if you happen to know the filename of that other database and you have the REPORT_MODIFY permission. With Noah's patch, you get "Report execution failed: not authorized" when trying to ATTACH to another database. -- Christian --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en -~----------~----~----~----~------~----~------~--~---
