My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 1590: Security with a draft patch set on a change that a later patchset made publishable over anonymous HTTP
3 people starred this issue and may be notified of changes. Back to list
Status:  New
Owner:  ----


Sign in to add a comment
 
Reported by hughdave...@gmail.com, Sep 27, 2012
************************************************************
***** NOTE: THIS BUG TRACKER IS FOR GERRIT CODE REVIEW *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, INTERNAL *****
***** ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC.    *****
***** THOSE ISSUE BELONG IN DIFFERENT ISSUE TRACKERS!  *****
************************************************************

Affected Version:

What steps will reproduce the problem?
1. Reduce READ permissions for anonymous users on a project to not include all branches
2. Create a draft patchset in a branch that is READable by anonymous (refs/changes/wx/wxyz/1)
3. Create a new patchset for the same change, but made publishable (refs/changes/wx/wxyz/2)
4. Try to git ls-remote over http, it will show the refs for both the draft (/1) and the non draft (/2)
5. fetch the draft over http

What is the expected output? What do you see instead?
The draft should not be visible, as the web interface hides it.

Please provide any additional information below.

This is related to  issue 1588 , and issue 1589

Currently, if an anonymous user passes the
allRefsAreVisible() method on the ProjectControl
class then they can see everything. This method
only takes into account the READ permission and
not draft status.
 
If that function fails, then a VisibleRefFilter class
is instantiated to filter out what the user can see.
This filter calls that same method, but as it returned
false before, it will do the same now. It then finds
all the visible changes for that project (taking into
account the draft status of the change).

This means that to enforce drafts when the anonymous
user has READ permissions on the entire project. That
is the reason for step 1.

The above description is  issue 1588 . Note that the
VisibleRefFilter only takes into account draft status
of a change, not of an individual patch set. A fix to
that is to test the patchset as well as the change.

I am working on a solution to this, which will be based
on issues 1588 and issues 1589 but am happy to submit it
to whereever you want it to get feedback.
Sign in to add a comment

Powered by Google Project Hosting