Description
Users can create trash directories and files even without having permissions. There is a possible DOS by eating up all file system inodes.
Steps to reproduce
Request: GET /SomeNonExistingPage?action=AttachFile&do=get&target=nonexisting-attachment
It will create a page directory and an empty attachments directory below the page directory. This happens even if the user is not allowed to create pages or attachments. One can even do it as non-logged in (anonymous) user.
Example
GET /SomeNonExistingPage?action=AttachFile&do=get&target=nonexisting-attachment
Component selection
Sorry, no idea.
Details
MoinMoin Version |
1.9.7 |
OS and Version |
FreeBSD 9.0 |
Python Version |
2.7.3 |
Server Setup |
|
Server Details |
|
Language you are using the wiki in (set in the browser/UserPreferences) |
|
We did also apply the patches 6489ec33874d and 3460b27e7f3e
Workaround
Discussion
Note: This is not related to permissions or ACLs - ACLs are about controlling access to content (on the web UI or otherwise), not about controlling the backend's access to the filesystem.
But I found that attachment directories are created in some circumstances where this is not really needed. While fixing this, I refactored the code a bit, so getFilename is called at all places where it needs to compute an attachment filename.
I applied the fix at appspot 9215043 and could no longer reproduce the problem. Now waiting for reports, whether any legitimate use cases are broken. Thanks so far!
Plan
- Priority:
- Assigned to:
Status: some fix is being developed, see https://codereview.appspot.com/9215043/