[evolvis-commits] r18221: small-fixes pending merges:↵ Thorsten Glaser 2012-04-02 [#2945] prevent non-logged-in users from determining hidden group existence

mirabilos at evolvis.org mirabilos at evolvis.org
Tue Apr 3 12:06:36 CEST 2012


Author: mirabilos
Date: 2012-04-03 12:06:35 +0200 (Tue, 03 Apr 2012)
New Revision: 18221

Modified:
   trunk/gforge_base/evolvisforge-5.1/src/debian/changelog
   trunk/gforge_base/evolvisforge-5.1/src/www/include/html.php
   trunk/gforge_base/evolvisforge-5.1/src/www/projects
Log:
small-fixes pending merges:
  Thorsten Glaser 2012-04-02 [#2945] prevent non-logged-in users from determining hidden group existence


Modified: trunk/gforge_base/evolvisforge-5.1/src/debian/changelog
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/debian/changelog	2012-03-30 18:41:08 UTC (rev 18220)
+++ trunk/gforge_base/evolvisforge-5.1/src/debian/changelog	2012-04-03 10:06:35 UTC (rev 18221)
@@ -33,8 +33,9 @@
   * Tracker: multi-line Item Description and Comments handled correctly
   * [#2942] Rewrite Site-Admin Group List page
   * [#2932] Allow multiple Submitters in Old Power Queries
+  * [#2945] Prevent non-logged in users from determining group existence
 
- -- Thorsten Glaser <t.glaser at tarent.de>  Fri, 30 Mar 2012 18:00:13 +0200
+ -- Thorsten Glaser <t.glaser at tarent.de>  Mon, 02 Apr 2012 12:26:31 +0200
 
 fusionforge (5.1.1+evolvis49) unstable; urgency=low
 

Modified: trunk/gforge_base/evolvisforge-5.1/src/www/include/html.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/www/include/html.php	2012-03-30 18:41:08 UTC (rev 18220)
+++ trunk/gforge_base/evolvisforge-5.1/src/www/include/html.php	2012-04-03 10:06:35 UTC (rev 18221)
@@ -836,22 +836,28 @@
 
 	//get the project object
 	$project = group_get_object($group_id);
-
-	if (!$project || !is_object($project)) {
-		exit_no_group();
-	} else if ($project->isError()) {
-		if ($project->isPermissionDeniedError()) {
-			if (!session_get_user()) {
- 			$next = '/account/login.php?error_msg='.urlencode($project->getErrorMessage());
- 			if (getStringFromServer('REQUEST_METHOD') != 'POST') {
-				$next .= '&return_to='.urlencode(getStringFromServer('REQUEST_URI'));
- 			}
+	if ($project && !is_object($project)) {
+		$project = false;
+	}
+	if (!$project || $project->isError()) {
+		/* prevent information leak */
+		if (!session_get_user()) {
+			$next = '/account/login.php?error_msg=' .
+			    urlencode('You must log in to access a project.');
+			if (getStringFromServer('REQUEST_METHOD') != 'POST') {
+				$next .= '&return_to=' .
+				    urlencode(getStringFromServer('REQUEST_URI'));
+			}
 			session_redirect($next);
+			/* NOTREACHED */
 		}
-			else
-				exit_error(sprintf(_('Project access problem: %s'),$project->getErrorMessage()),'home');
+		if (!$project) {
+			exit_error(sprintf(_('Could not access the project #%d'),
+			    $group_id), 'home');
+			/* NOTREACHED */
 		}
-		exit_error(sprintf(_('Project Problem: %s'),$project->getErrorMessage()),'home');
+		exit_error(sprintf(_('Error accessing the project #%d: %s'),
+		    $group_id, $project->getErrorMessage()), 'home');
 	}
 
 	// Check permissions in case of restricted access

Modified: trunk/gforge_base/evolvisforge-5.1/src/www/projects
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/www/projects	2012-03-30 18:41:08 UTC (rev 18220)
+++ trunk/gforge_base/evolvisforge-5.1/src/www/projects	2012-04-03 10:06:35 UTC (rev 18221)
@@ -40,6 +40,14 @@
 //	test to see if the logger was successful in setting up the objects
 //
 if (!$group_id || !$project) {
+	/* prevent information leak */
+	if (!session_get_user()) {
+		/* handles the redirect for us */
+		include $gfwww.'include/project_home.php';
+		exit;
+	}
+
+	/* we are logged in for sure */
 	exit_no_group();
 }
 



More information about the evolvis-commits mailing list