View Revisions: Issue #27039

Summary 0027039: CVE-2020-25781: Access to private bug note attachments
Revision 2020-09-09 04:09 by dregad
Description

Sorry for my English.

The problem.
User that has access to project's issue (VS_PUBLIC) , but has not access to private bug notes of this project issue, can download private bug note attachments directly (by file download url /file_download.php?file_id={FILE_ID}&type=bug).

The possible solution.
Need check access for private bug note attachment. Something similar like in 0026893.

Added patch as solution example (file_download.php[113-129]).

Revision 2020-06-16 05:08 by pijama
Description

Sorry for my English.

The problem.
User that has access to project's issue (VS_PUBLIC) , but has not access to private bug notes of this project issue, can download private bug note attachments directly (by file download url /file_download.php?file_id={FILE_ID}&type=bug).

The possible solution.
Need check access for private bug note attachment. Something similar like in 0026893.

Added patch as solution example (file_download.php[113-129]).