Uploaded image for project: 'Crucible'
  1. Crucible
  2. CRUC-7516

It is possible to access the list of patches in a review and their content by unprivileged users

    XMLWordPrintable

    Details

      Description

      We've discovered and fixed a security issue, where the attacker could (using the REST API):

      • access the list of patches in a review (their filename, database id upload date and anchor details) without authentication
      • access the patch content for any review as long as he had view access to any other review on the server

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            lpater Lukasz Pater
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: