[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Fusionforge-general] Seeking pre-upload approval (was Re: MW 1.19 for wheezy)

On Mon, 3 Sep 2012, Thorsten Glaser wrote:

> The diff attached will also need to be added to this upload
> for security reasons.

And this one, too. The forge has public information, such as
a user’s homepage – https://alioth.debian.org/users/tg – and
the https://alioth.debian.org/top/toplist.php?type=downloads
lists, which contain projects, but those were not suitably
filtered to check that the user viewing the page had rights
to look at the project, which was especially bad when an
anonymous, not logged-in user got disclosed the existence
and names of hidden projects.

This was discovered by one of our partners in a live system today…

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke
Index: debian/changelog
===================================================================
--- debian/changelog	(revision 16199)
+++ debian/changelog	(working copy)
@@ -12,8 +12,9 @@
   * Unbreak and silence the MediaWiki nightly dump cronjob (Closes: #680165)
   * Remove minified ECMAscript and binary *.jar from the source
   * SECURITY: Upon user deletion, remove their Unix account as well
+  * SECURITY: Do not disclose inaccessible groups on user_home/toplist
 
- -- Thorsten Glaser <tg@mirbsd.de>  Mon, 03 Sep 2012 11:55:51 +0200
+ -- Thorsten Glaser <tg@mirbsd.de>  Mon, 03 Sep 2012 14:07:16 +0200
 
 fusionforge (5.2~rc1-5) unstable; urgency=low
 
Index: www/include/user_home.php
===================================================================
--- www/include/user_home.php	(revision 16198)
+++ www/include/user_home.php	(working copy)
@@ -104,6 +104,10 @@
 	print "<p>"._('This developer is a member of the following projects:')."</p>\n";
 
 	foreach ($projects as $p) {
+		if (!forge_check_perm('project_read', $p->getID())) {
+			continue;
+		}
+
 		$project_link = util_make_link_g ($p->getUnixName(),$p->getID(),$p->getPublicName());
 		$project_uri = util_make_url_g ($p->getUnixName(),$p->getID());
 		// sioc:UserGroups for all members of a project are named after /projects/A_PROJECT/members/
Index: www/top/toplist.php
===================================================================
--- www/top/toplist.php	(revision 16198)
+++ www/top/toplist.php	(working copy)
@@ -47,6 +47,7 @@
 }
 // default to downloads
 else {
+	$type = 'downloads';
 	$res_top = $stats->getTopDownloads();
 	$title = _('Top Downloads');
 	$column1 = _('Downloads');
@@ -61,9 +62,17 @@
 $display_rank = 0;
 $i=0;
 while ($row_top = db_fetch_array($res_top)) {
-	if (!forge_check_perm ('project_read', $row_top['group_id']) && forge_check_perm('frs', $row_new['group_id'], 'read_public') ) {
-		continue ;
+	if (!forge_check_perm('project_read', $row_top['group_id'])) {
+		continue;
 	}
+	if (($type == 'downloads_week' || $type == 'downloads') && 0 &&
+	    !forge_check_perm('frs', $row_new['group_id'], 'read_public')) {
+		continue;
+	}
+	/*-
+	 * pageviews_proj: project_read probably enough
+	 * forumposts_week: forum read? no ideaâ?¦
+	 */
 	$i++;
 	if ($row_top["items"] == 0) {
 		continue;
Index: common/include/Stats.class.php
===================================================================
--- common/include/Stats.class.php	(revision 16198)
+++ common/include/Stats.class.php	(working copy)
@@ -84,7 +84,7 @@
 	* @return a resultset of unix_group_name, group_name, items
 	*/
 	function getTopMessagesPosted() {
-		return db_query_params ('SELECT g.unix_group_name, g.group_name, SUM(s.msg_posted) AS items FROM stats_project s, groups g WHERE s.group_id=g.group_id AND g.status=$1 GROUP BY g.unix_group_name, g.group_name ORDER BY items DESC',
+		return db_query_params ('SELECT g.unix_group_name, g.group_name, SUM(s.msg_posted) AS items, g.group_id FROM stats_project s, groups g WHERE s.group_id=g.group_id AND g.status=$1 GROUP BY g.unix_group_name, g.group_name, g.group_id ORDER BY items DESC',
 					array ('A'),
 					100) ;
 	}
@@ -96,7 +96,7 @@
 	* @return a resultset of group_name, unix_group_name, items
 	*/
 	function getTopPageViews() {
-		return db_query_params ('SELECT g.group_name, g.unix_group_name, SUM(s.page_views) AS items FROM stats_project_months s, groups g WHERE s.group_id=g.group_id AND g.status=$1 GROUP BY g.group_name, g.unix_group_name ORDER BY items DESC',
+		return db_query_params ('SELECT g.group_name, g.unix_group_name, SUM(s.page_views) AS items, g.group_id FROM stats_project_months s, groups g WHERE s.group_id=g.group_id AND g.status=$1 GROUP BY g.group_name, g.unix_group_name, g.group_id ORDER BY items DESC',
 					array ('A'),
 					100) ;
 	}
@@ -108,7 +108,7 @@
 	* @return a resultset of group_name, unix_group_name, items
 	*/
 	function getTopDownloads() {
-		return db_query_params ('SELECT g.group_name, g.unix_group_name, SUM(frs.downloads) AS items FROM frs_dlstats_grouptotal_vw frs, groups g WHERE g.group_id = frs.group_id AND g.status=$1 GROUP BY g.group_name, g.unix_group_name ORDER BY items DESC',
+		return db_query_params ('SELECT g.group_name, g.unix_group_name, SUM(frs.downloads) AS items, g.group_id FROM frs_dlstats_grouptotal_vw frs, groups g WHERE g.group_id = frs.group_id AND g.status=$1 GROUP BY g.group_name, g.unix_group_name, g.group_id ORDER BY items DESC',
 					array ('A'),
 					100) ;
 	}
Reply to: