Issue 828901
Created on 2003-10-23 12:53 by thomas_ah, last changed 2003-10-24 07:51 by thomas_ah.
|
| msg1018 |
Author: [hidden] (thomas_ah) |
Date: 2003-10-23 12:53 |
|
The anonymous user can edit its own record.
If someone uses this to rename the anonymous user,
anonymous access is no longer possible.
Attached is a patch against HEAD and maint-0-6 which
fixes this security problem.
|
| msg1019 |
Author: [hidden] (thomas_ah) |
Date: 2003-10-23 12:54 |
|
Logged In: YES
user_id=839582
... and nobody can log in, because only the anonymous user
sees the login form.
|
| msg1020 |
Author: [hidden] (jlgijsbers) |
Date: 2003-10-23 21:36 |
|
Logged In: YES
user_id=469548
Can you actually rename the user? I get a KeyError: 'No key
(username) value "anonymous" for "user"'. Anyway, I'm just
wondering why your patch also disallows viewing the
anonymous user? That isn't a security risk, isn't it?
Also, note that your patch makes the anonymous user
uneditable, even for admins. I can't think of a reason to
edit the anonymous user, so this probably not a problem though.
|
| msg1021 |
Author: [hidden] (thomas_ah) |
Date: 2003-10-24 07:51 |
|
Logged In: YES
user_id=839582
Yes, renaming is really possible. Maybe you have to add an
email address if you use userauditor.py to enforce this.
Admin can also only edit it when supplying an email address.
Viewing the anonymous user shouldn't be a security risk, but
it isn't needed. Maybe someone gives it a special email
address or something. Hiding it doesn't break anything, so
why allow it? Any other user isn't allowed to view
anonymous, too.
To summarize it: I still think the patch is correct.
|
| msg1022 |
Author: [hidden] (jlgijsbers) |
Date: 2003-10-24 09:33 |
|
Logged In: YES
user_id=469548
I still can't rename the user myself, but I do agree that
the patch is correct. I've checked it in on both maint-0-6
and HEAD.
|
|
| Date |
User |
Action |
Args |
| 2003-10-23 12:53:18 | thomas_ah | create | |
|