[Bug 659590] New: Source access disabled projects' sources are exposed to unprivileged user when binaries are published
https://bugzilla.novell.com/show_bug.cgi?id=659590 https://bugzilla.novell.com/show_bug.cgi?id=659590#c0 Summary: Source access disabled projects' sources are exposed to unprivileged user when binaries are published Classification: Internal Novell Products Product: openSUSE Build Service Version: master Platform: 64bit OS/Version: openSUSE 11.3 Status: NEW Severity: Normal Priority: P5 - None Component: General AssignedTo: adrian@novell.com ReportedBy: ext-senthil.muthukalai@nokia.com QAContact: adrian@novell.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 Source access disabled projects' sources are exposed to unprivileged user when binaries are published Reproducible: Always Steps to Reproduce: 1. Create a project prj1 with package pkg1 inside it with u1 as obs user. While creating the project and package, check the option 'deny access to source'. 2. Upload some source files which would trigger a build. 3. Log in to obs webui as u2 who has no privilege and try to access the (download) repository. 4. Repeat the experiments with LDAP users. Actual Results: Since the 'publish' flags were enabled, the unprivileged user can also download the sources along with the published binaries. Same case for LDAP users too. Expected Results: The sources should not be accessible to the unprivileged user. obs@linux-4kg9:~/workarea> osc meta prj closed WARNING: SSL certificate checks disabled. Connection is insecure! <project name="closed"> <title>closed</title> <description/> <person userid="obs_user4" role="maintainer"/> <person userid="obs_user4" role="bugowner"/> <sourceaccess> <disable/> </sourceaccess> <repository name="test_standard"> <path repository="standard" project="test"/> <arch>x86_64</arch> <arch>i586</arch> </repository> obs@linux-4kg9:~/workarea> osc meta pkg closed closed1 WARNING: SSL certificate checks disabled. Connection is insecure! <package project="closed" name="closed1"> <title>closed1</title> <description/> <sourceaccess> <disable/> </sourceaccess> </package>obs@linux-4kg9:~/workarea> -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c1
Jan-Simon Möller
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c2
senthil kumar
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c3
Michael Schröder
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c4
--- Comment #4 from senthil kumar
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c
senthil kumar
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c5
--- Comment #5 from senthil kumar
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c6
Michael Schröder
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c7
--- Comment #7 from Jan-Simon Möller
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c8
senthil kumar
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c9
Michael Schröder
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c10
--- Comment #10 from senthil kumar
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c11
--- Comment #11 from Michael Schröder
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c12
--- Comment #12 from senthil kumar
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c13
--- Comment #13 from Michael Schröder
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c14
--- Comment #14 from senthil kumar
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c15
--- Comment #15 from Michael Schröder
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c16
--- Comment #16 from senthil kumar
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c17
--- Comment #17 from Michael Schröder
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c18
--- Comment #18 from senthil kumar
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c19
--- Comment #19 from Michael Schröder
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c20
--- Comment #20 from senthil kumar
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c21
--- Comment #21 from Michael Schröder
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c22
--- Comment #22 from senthil kumar
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c23
--- Comment #23 from Michael Schröder
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c24
--- Comment #24 from Michael Schröder
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c
senthil kumar
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c25
senthil kumar
https://bugzilla.novell.com/show_bug.cgi?id=659590
https://bugzilla.novell.com/show_bug.cgi?id=659590#c26
--- Comment #26 from Michael Schröder
participants (1)
-
bugzilla_noreply@novell.com