View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0026893 | mantisbt | security | public | 2020-04-19 17:39 | 2020-06-16 16:57 |
Reporter | vboctor | Assigned To | vboctor | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.24.0 | ||||
Target Version | 2.24.1 | Fixed in Version | 2.24.1 | ||
Summary | 0026893: APIs expose private attachments to users who has access to issue but not private notes | ||||
Description | This applies to both SOAP and REST API. Impacted REST APIs:
Note that the UI enforced access checks correctly since the attachments were grouped with the private notes and the private notes were not rendered. | ||||
Tags | No tags attached. | ||||
related to | 0026631 | closed | vboctor | file_get_visible_attachments shows private files that should be invisible to the user |
related to | 0026894 | assigned | vboctor | Issue note files should show up within the notes in REST API |
related to | 0027039 | closed | dregad | CVE-2020-25781: Access to private bug note attachments |
@dregad and @atrol please review the change on the following branch: |
|
Had a very short look at it These cases seem not to be fixed
|
|
@atrol can you provide more details about the case you are tested and what you have seen? I personally tested with an admin user and a reporter that can't see private attachments. I had attachments associated with the public issue and attachments associated with private note. The admin can see all. The reporter can see only issue attachments, but not note attachments. Did you test with attachments that are linked to the notes in the DB, or ones that are associated at runtime? I didn't test the later, since these wouldn't be private, if they become private, they should be linked properly. I will test again, but let me know you have tested or will find. |
|
same for me
that's my test case
that's what I see on "View Issue" page , but not when checking the JSON response via {{url}}/api/rest/issues/:issue_id/files in same browser tab
Yes |
|
@atrol I just test again and it seems to be working fine. Can you check the value for the following configs:
If these are set as above, then it would be helpful if you can step through the code and see why it authorized in your environment, since only shows the right attachments in my environment. |
|
@vboctor I checked everything you wrote before I wrote my first note, but I will check again. |
|
@vboctor I tried on a complete fresh install, but was not able to reproduce. It might somehow be related to option limit_view_unless_threshold I had stored in one of my test databases when trying this option weeks ago. I don't want to block your change any longer, as it's obviously better than it was before. |
|
MantisBT: master-2.24 f1f236f9 2020-04-19 13:36 Details Diff |
Fix attachments API access checks - Fix attachment access checks for private attachments. (REST and SOAP) - Include note attachments within notes (REST) Fixes 0026893 |
Affected Issues 0026893 |
|
mod - api/soap/mc_issue_api.php | Diff File | ||
mod - core/file_api.php | Diff File | ||
MantisBT: master 4b436c4c 2020-04-19 13:36 Details Diff |
Fix attachments API access checks - Fix attachment access checks for private attachments. (REST and SOAP) - Include note attachments within notes (REST) Fixes 0026893 |
Affected Issues 0026893 |
|
mod - api/soap/mc_issue_api.php | Diff File | ||
mod - core/file_api.php | Diff File |