Opened 7 years ago
Closed 7 years ago
#4275 closed defect (fixed)
Any sensible info to be kept private in trac tickets ?
| Reported by: | strk | Owned by: | jmckenna |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | MapServer C Library | Version: | unspecified |
| Severity: | normal | Keywords: | |
| Cc: | jmckenna, tomkralidis, warmerdam, hobu |
Description
I'm reviewing the Trac plugins used on OSGeo and found you are the only one actually using the SecureTicket plugin. As the wiki talks about local modifications but doesnt' give more detail about it, before going trough trying to figure out how to port local changes to new versions of the plugin I'd like to know if the plugin is actually in use.
So, would any sensible information become public if we drop the SecurePlugin from this trac instance ?
Refs: https://wiki.osgeo.org/wiki/Trac_Instances#Secure_Tickets https://trac.osgeo.org/osgeo/ticket/1816
Change History (6)
comment:1 by , 7 years ago
comment:2 by , 7 years ago
Example ticket in supposedly-private component: https://trac.osgeo.org/mapserver/ticket/4086 As you can see it's fully visible (togheter with other 3 tickets) -- I'd disable the plugin and be done with this.
comment:3 by , 7 years ago
good find! Those 3 "secure" tickets are fully exposed now in Trac (https://trac.osgeo.org/mapserver/query?status=!closed&component=Security%2FVulnerability+(Private)
I know we have a MapServer PSC meeting coming up on the 19th (https://github.com/mapserver/mapserver/wiki/PSC-Meeting-2017-01-19), but this might have to be dealt with now. So I personally think:
- OK to drop the SecureTicket plugin now from Trac (this isn't working anyway, and doesn't need full PSC approval)
- we must somehow scrub those 3 "secure" tickets that are showing on this old Trac instance. (the same 3 tickets on Github are nicely scrubbed https://github.com/mapserver/mapserver/issues/4086)
- maybe we should just delete those 3 old tickets from the Trac instance, while we have @strk on the case now? 4086, 3907, 4022
comment:4 by , 7 years ago
I'll drop the plugin then. As for deleting/scrumbling the tickets, any trac admin (jmckenna being one) can enable the TicketDeleter plugin (under admin/plugins/Trac)
comment:5 by , 7 years ago
| Owner: | changed from to |
|---|
Plugin was removed. Will leave this open for you to deal with Jeff
comment:6 by , 7 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
The 3 tickets have been deleted from the Trac instance (4086, 3907, 4022).
I think I figured what the supposed modification was (allowing to specify
private_componentsrather thanpublic_components) but the installed plugin does not check forprivate_componentsso doesn't look like being the modified one.This makes me think no tickets in mapserver trac are currently
private, making the plugin useless. Is it ok then to drop the plugin or do you prefer to fix it (but not the the information leaked for at least 2 years now...)