Check-in [21326fb6f7]
Not logged in
HomeFilesLeavesTimelineBranchesTagsTicketsWikiLogin
Overview

SHA1 Hash:21326fb6f7d3e2d175a80c3a603095c1f5b92f1b
Date: 2008-07-19 15:12:34
User: drh
Comment:Fix enforcement of access restrictions on reports. Do not allow reports to show the content of fields whose names begin with "private_" unless the "e" permission is enabled.
Timelines: ancestors | descendants | both | trunk
Other Links: files | ZIP archive | manifest

Tags And Properties
Changes
[hide diffs]

Modified src/main.c from [be97bf56d4] to [7cc029d992]. 

@@ -116,11 +116,11 @@
   int okRdTkt;            /* r: view tickets via web */
   int okNewTkt;           /* n: create new tickets */
   int okApndTkt;          /* c: append to tickets via the web */
   int okWrTkt;            /* w: make changes to tickets via web */
   int okTktFmt;           /* t: create new ticket report formats */
-  int okRdAddr;           /* e: read email addresses on tickets */
+  int okRdAddr;           /* e: read email addresses or other private data */
 
   FILE *fDebug;           /* Write debug information here, if the file exists */
 
   /* Storage for the aux() and/or option() SQL function arguments */
   int nAux;                    /* Number of distinct aux() or option() values */

Modified src/report.c from [1a3b1f6f03] to [fee58e3fd7]. 

@@ -154,12 +154,12 @@
   const char *zArg1,
   const char *zArg2,
   const char *zArg3,
   const char *zArg4
 ){
-  char *zError = *(char**)pError;
-  if( zError ){
+  int rc = SQLITE_OK;
+  if( *(char**)pError ){
     /* We've already seen an error.  No need to continue. */
     return SQLITE_OK;
   }
   switch( code ){
     case SQLITE_SELECT:
@@ -180,20 +180,24 @@
       int i;
       for(i=0; i<sizeof(azAllowed)/sizeof(azAllowed[0]); i++){
         if( strcasecmp(zArg1, azAllowed[i])==0 ) break;
       }
       if( i>=sizeof(azAllowed)/sizeof(azAllowed[0]) ){
-        zError = mprintf("cannot access table %s", zArg1);
+        *(char**)pError = mprintf("access to table \"%s\" is restricted",zArg1);
+        rc = SQLITE_DENY;
+      }else if( !g.okRdAddr && strncmp(zArg2, "private_", 8)==0 ){
+        rc = SQLITE_IGNORE;
       }
       break;
     }
     default: {
-      zError = mprintf("only SELECT statements are allowed");
+      *(char**)pError = mprintf("only SELECT statements are allowed");
+      rc = SQLITE_DENY;
       break;
     }
   }
-  return SQLITE_OK;
+  return rc;
 }
 
 
 /*
 ** Check the given SQL to see if is a valid query that does not
@@ -875,10 +879,12 @@
   char *zTitle;
   char *zOwner;
   char *zClrKey;
   int tabs;
   Stmt q;
+  char *zErr1 = 0;
+  char *zErr2 = 0;
 
   login_check_credentials();
   if( !g.okRead ){ login_needed(); return; }
   rn = atoi(PD("rn","0"));
   if( rn==0 ){
@@ -932,13 +938,22 @@
     output_color_key(zClrKey, 1,
         "border=0 cellpadding=3 cellspacing=0 class=\"report\"");
     @ <table border=1 cellpadding=2 cellspacing=0 class="report">
     sState.rn = rn;
     sState.nCount = 0;
-    sqlite3_exec(g.db, zSql, generate_html, &sState, 0);
+    sqlite3_set_authorizer(g.db, report_query_authorizer, (void*)&zErr1);
+    sqlite3_exec(g.db, zSql, generate_html, &sState, &zErr2);
+    sqlite3_set_authorizer(g.db, 0, 0);
     @ </table>
+    if( zErr1 ){
+      @ <p><font color="red"><b>Error: %h(zErr1)</b></font></p>
+    }else if( zErr2 ){
+      @ <p><font color="red"><b>Error: %h(zErr2)</b></font></p>
+    }
     style_footer();
   }else{
-    sqlite3_exec(g.db, zSql, output_tab_separated, &count, 0);
+    sqlite3_set_authorizer(g.db, report_query_authorizer, (void*)&zErr1);
+    sqlite3_exec(g.db, zSql, output_tab_separated, &count, &zErr2);
+    sqlite3_set_authorizer(g.db, 0, 0);
     cgi_set_content_type("text/plain");
   }
 }

Modified src/setup.c from [a90d39e174] to [c163109c85]. 

@@ -136,11 +136,11 @@
   @ <li><p>The permission flags are as follows:</p>
   @ <ol type="a">
   @ <li value="1"><b>Admin</b>: Create and delete users</li>
   @ <li value="3"><b>Append-Tkt</b>: Append to tickets</li>
   @ <li value="4"><b>Delete</b>: Delete wiki and tickets</li>
-  @ <li value="5"><b>Email</b>: View EMail addresses on tickets</li>
+  @ <li value="5"><b>Email</b>: View sensitive data such as EMail addresses</li>
   @ <li value="6"><b>New-Wiki</b>: Create new wiki pages</li>
   @ <li value="7"><b>Clone</b>: Clone the repository</li>
   @ <li value="8"><b>History</b>: View detail repository history</li>
   @ <li value="9"><b>Check-In</b>: Commit new versions in the repository</li>
   @ <li value="10"><b>Read-Wiki</b>: View wiki pages</li>

Modified src/tktsetup.c from [e7df19c0f4] to [af01500203]. 

@@ -56,10 +56,14 @@
     "The default color key for reports.");
   @ </table>
   style_footer();
 }
 
+/*
+** NOTE:  When changing the table definition below, also change the
+** equivalent definition found in schema.c.
+*/
 /* @-comment: ** */
 static const char zDefaultTicketTable[] =
 @ CREATE TABLE ticket(
 @   -- Do not change any column that begins with tkt_
 @   tkt_id INTEGER PRIMARY KEY,
@@ -70,11 +74,11 @@
 @   status TEXT,
 @   subsystem TEXT,
 @   priority TEXT,
 @   severity TEXT,
 @   foundin TEXT,
-@   contact TEXT,
+@   private_contact TEXT,
 @   resolution TEXT,
 @   title TEXT,
 @   comment TEXT,
 @   -- Do not alter this UNIQUE clause:
 @   UNIQUE(tkt_uuid, tkt_mtime)
@@ -125,10 +129,11 @@
     if( xText && (zErr = xText(z))!=0 ){
       @ <p><font color="red"><b>ERROR: %h(zErr)</b></font></p>
     }else{
       db_set(zDbField, z, 0);
       if( xRebuild ) xRebuild();
+      cgi_redirect("tktsetup");
     }
   }
   @ <form action="%s(g.zBaseURL)/%s(g.zPath)" method="POST">
   @ <p>%s(zDesc)</p>
   @ <textarea name="x" rows="%d(height)" cols="80">%h(z)</textarea>
@@ -276,11 +281,11 @@
 @ effect the operation of the product?</td>
 @ </tr>
 @
 @ <tr>
 @ <td align="right">EMail:
-@ <input type="text" name="contact" value="$<contact>" size="30">
+@ <input type="text" name="private_contact" value="$<private_contact>" size="30">
 @ </td>
 @ <td><u>Not publicly visible</u>. Used by developers to contact you with
 @ questions.</td>
 @ </tr>
 @
@@ -377,11 +382,11 @@
 @ <tr><td align="right">Last&nbsp;Modified:</td><td bgcolor="#d0d0d0">
 @ $<tkt_datetime>
 @ </td>
 @ <th1>enable_output [hascap e]</th1>
 @   <td align="right">Contact:</td><td bgcolor="#d0d0d0">
-@   $<contact>
+@   $<private_contact>
 @   </td>
 @ <th1>enable_output 1</th1>
 @ </tr>
 @ <tr><td align="right">Version&nbsp;Found&nbsp;In:</td>
 @ <td colspan="3" valign="top" bgcolor="#d0d0d0">
@@ -461,11 +466,12 @@
 @ <tr><td align="right">Subsystem:</td><td>
 @ <th1>combobox subsystem $subsystem_choices 1</th1>
 @ </td></tr>
 @ <th1>enable_output [hascap e]</th1>
 @   <tr><td align="right">Contact:</td><td>
-@   <input type="text" name="contact" size="40" value="$<contact>">
+@   <input type="text" name="private_contact" size="40"
+@    value="$<private_contact>">
 @   </td></tr>
 @ <th1>enable_output 1</th1>
 @ <tr><td align="right">Version&nbsp;Found&nbsp;In:</td><td>
 @ <input type="text" name="foundin" size="50" value="$<foundin>">
 @ </td></tr>

Fossil version [c0211010a1] 2009-12-13 01:31:36