Modify

Opened 13 years ago

Last modified 8 years ago

#9981 new defect

[PATCH] SQL injection vulnerability patch for TracDownloads

Reported by: Aleksi Hanninen Owned by:
Priority: normal Component: DownloadsPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.12

Description

There is a SQL injection vulnerability in the Trac Downloads plugin.

Two patches are provided as attached:

  1. tracdownloads_sql_injection_vulnerability.patch
  1. tracdownloads_patch_complete.patch

Use the first "sql injection vulnerability" patch to fix the vulnerability. The patch also introduces fix in the download link resolver (link generation for download files in wiki context) by file.

A more complete, but unfortunately largely untested, "complete" patch contains the first "sql injection vulnerability" patch and also introduces other fixes, like:

  • Editing just the description of the downloads won't crash. (If editing just the description of the downloads, you shouldn't expect any file to be uploaded)
  • Since components should not use self.*, add a dict req_data and use that instead. This improves the security of concurrency.

Unfortunately, I haven't been able to test this with Vanilla trac, and I give no guarantees whatsoever. However, the first patch should work without problems.

My environment consists of Apache, Linux, Python 2.6, and Trac 0.12.1.

Attachments (2)

tracdownloads_sql_injection_vulnerability.patch (5.7 KB) - added by Aleksi Hanninen 13 years ago.
tracdownloads_patch_complete.patch (30.8 KB) - added by Aleksi Hanninen 13 years ago.

Download all attachments as: .zip

Change History (7)

Changed 13 years ago by Aleksi Hanninen

Attachment: tracdownloads_sql_injection_vulnerability.patch added

Changed 13 years ago by Aleksi Hanninen

Attachment: tracdownloads_patch_complete.patch added

comment:1 Changed 13 years ago by Aleksi Hanninen

I also changed import * to more specific versions and fixed some CSRF vulnerabilities in the "complete" patch.

comment:2 Changed 11 years ago by Ryan J Ollos

Owner: changed from Radek Bartoň to Ryan J Ollos
Status: newassigned

comment:3 Changed 8 years ago by Ryan J Ollos

#9609 closed as a duplicate.

comment:4 Changed 8 years ago by Ryan J Ollos

Status: assignedaccepted

comment:5 Changed 8 years ago by Ryan J Ollos

Owner: Ryan J Ollos deleted
Status: acceptednew

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.

Add Comment

E-mail address and name can be saved in the Preferences.

AttachmentsDescription
 
Note: See TracTickets for help on using tickets.