IVLE

Visiting a user's page gives unauthorised, but breadcrumb shows full name

Bug #493919 reported by Matt Giuca on 2009-12-08

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	IVLE	Fix Released	Low	Matt Giuca	IVLE 1.0 "pineapple"

Bug Description

Is this an information disclosure problem? We aren't authorised to view the object, but this piece of information is shown anyway.

Tags:

Related branches

lp:ivle

David Coles (dcoles) on 2009-12-08

security vulnerability:

no → yes

Revision history for this message

Matt Giuca (mgiuca) wrote on 2010-02-24:

From a discussion with dcoles earlier, I think we figured that this is not a bug we need to solve. The disclosure is minor, (just shows the user's nickname if you know their login). This is no worse than `finger`. I am marking this as In Progress as I'm going to investigate how easy it is to actually fix the bug, if desired. But we may end up just marking as Wont Fix.

Changed in ivle:
assignee:	nobody → Matt Giuca (mgiuca)
status:	New → In Progress

Revision history for this message

Matt Giuca (mgiuca) wrote on 2010-02-24:

Display nickname in the breadcrumb only if you have permission to view the user Edit (647 bytes, text/plain)

OK, there are three choices.

1. Consider seeing the nickname as NOT a disclosure vulnerability. Don't fix. Or,
2. Accept the following patch, which displays the nickname iff you have permission to view:
--- ivle/webapp/admin/breadcrumbs.py 2010-02-24 02:43:38 +0000
+++ ivle/webapp/admin/breadcrumbs.py 2010-02-24 03:13:11 +0000
@@ -37,7 +37,13 @@

@property
def text(self):
- return self.context.nick
+ perms = self.context.get_permissions(self.req.user, self.req.config)
+ # Show nickname iff current user has permission to view this user
+ # (Else, show just the login name)
+ if 'view' in perms:
+ return self.context.nick
+ else:
+ return self.context.login

@property
def extra_breadcrumbs_before(self):

3. ....

Revision history for this message

Matt Giuca (mgiuca) wrote on 2010-02-24:

Always display nickname in breadcrumb Edit (363 bytes, text/plain)

3. Always display the nickname in the breadcrumb:
--- ivle/webapp/admin/breadcrumbs.py 2010-02-24 02:43:38 +0000
+++ ivle/webapp/admin/breadcrumbs.py 2010-02-24 03:08:24 +0000
@@ -37,7 +37,7 @@

@property
def text(self):
- return self.context.nick
+ return self.context.login

@property
def extra_breadcrumbs_before(self):

I vote number 2 -- I like breadcrumbs with the proper nickname, but I want to clean up any claim of a disclosure vulnerability. Maybe in the future we'll actually let users have a public page at ~login, and then we'll open it up again.

Revision history for this message

Matt Giuca (mgiuca) wrote on 2010-02-24:

On Will's approval, chose option #2 -- conditionally show the nickname iff the user has permission to view. Fixed in trunk r1684.

Note that if we make an open user page in the future, we won't have to revisit this bug, as presumably the "view" permission will be more open. That will automatically change the behaviour of the breadcrumb.

Changed in ivle:
status:	In Progress → Fix Committed

William Grant (wgrant) on 2010-02-26

Changed in ivle:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.