Home My Page Projects FusionForge
Summary Activity Forums Tracker Lists News SCM Files Mediawiki Hudson/Jenkins

[#757] gitweb browsing w/o access control

Date:
2015-03-02 16:33
Priority:
3
State:
Closed
Submitted by:
Chanh TRAN (ctran)
Assigned to:
Roland Mas (lolando)
Target Release:
6.0
Found in Version:
5.3.2
Severity:
critical
Resolution:
Fixed
Summary:
gitweb browsing w/o access control

Detailed description
Hi all,

I've been running FF5.0.1 for quite a while & my big bad surprise today is to discover this following link gives access to all our GIT repositories belonging to either public or private projects & such even to non logged in user.
http://mysite/plugins/scmgit/cgi-bin/gitweb

And the same thing also occurs on 'fusionforge.org' via ' http://fusionforge.org/plugins/scmgit/cgi-bin/gitweb.cgi'

For me, this is really a 'security' issue & hopefully there 'll be a fix ASAP
Thx in advance
Regards
Message  ↓
Date: 2015-05-12 13:49
Sender: Sylvain Beucler

Confirmed fixed in 6.0.

Date: 2015-04-13 09:22
Sender: Roland Mas

This has been fixed for 6.0: gitweb now runs as the identity of the user making the request, so it has the same permissions.

Field Old Value Date By
status_idOpen2015-05-12 13:49beuc-inria
close_dateNone2015-05-12 13:49beuc-inria
assigned_tonone2015-04-13 09:22lolando
Target ReleaseNone2015-04-13 09:22lolando
ResolutionNone2015-04-13 09:22lolando