You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficcontrol.apache.org by dg4prez <gi...@git.apache.org> on 2017/03/13 23:01:52 UTC

[GitHub] incubator-trafficcontrol pull request #356: Security Enhancement - secures D...

GitHub user dg4prez opened a pull request:

    https://github.com/apache/incubator-trafficcontrol/pull/356

    Security Enhancement - secures DB dumps

    Prevents access levels lower than oper (20) from accessing database dump functionality. 

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/dg4prez/incubator-trafficcontrol login_security

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/incubator-trafficcontrol/pull/356.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #356
    
----
commit a165916ba21f6b76629e26499707955af779db7d
Author: Derek Gelinas <de...@cable.comcast.com>
Date:   2017-03-13T22:59:45Z

    secures DB dumps

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #356: Security Enhancement - secures D...

Posted by mitchell852 <gi...@git.apache.org>.

Github user mitchell852 commented on a diff in the pull request:

    https://github.com/apache/incubator-trafficcontrol/pull/356#discussion_r105957356
  
    --- Diff: traffic_ops/app/lib/UI/GenDbDump.pm ---
    @@ -32,6 +33,10 @@ sub dbdump {
     		$self->internal_server_error( { Error => "Error dumping database" } );	
     		return;
     	}
    +	if ( !&is_oper($self) ) {
    --- End diff --
    
    why don't you do this permissions check before you do the actual dump?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #356: Security Enhancement - secures D...

Posted by asfgit <gi...@git.apache.org>.

Github user asfgit closed the pull request at:

    https://github.com/apache/incubator-trafficcontrol/pull/356


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #356: Security Enhancement - secures D...

Posted by dg4prez <gi...@git.apache.org>.

Github user dg4prez commented on a diff in the pull request:

    https://github.com/apache/incubator-trafficcontrol/pull/356#discussion_r105958824
  
    --- Diff: traffic_ops/app/lib/UI/GenDbDump.pm ---
    @@ -32,6 +33,10 @@ sub dbdump {
     		$self->internal_server_error( { Error => "Error dumping database" } );	
     		return;
     	}
    +	if ( !&is_oper($self) ) {
    --- End diff --
    
    Very good point.  Moved.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #356: Security Enhancement - secures D...

Posted by mitchell852 <gi...@git.apache.org>.

Github user mitchell852 commented on a diff in the pull request:

    https://github.com/apache/incubator-trafficcontrol/pull/356#discussion_r106014345
  
    --- Diff: traffic_ops/app/lib/UI/GenDbDump.pm ---
    @@ -17,11 +17,17 @@ package UI::GenDbDump;
     #
     use Mojo::Base 'Mojolicious::Controller';
     use Data::Dumper;
    +use UI::Utils;
     
     sub dbdump {
     	my $self = shift;
     	my $filename = $self->param('filename');
     
    +	if ( !&is_oper($self) ) {
    +		$self->internal_server_error( { Error => "Insufficient permissions for DB Dump. Admin access is required." } );	
    --- End diff --
    
    unless you want to change that to is_admin()


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #356: Security Enhancement - secures D...

Posted by dg4prez <gi...@git.apache.org>.

Github user dg4prez commented on a diff in the pull request:

    https://github.com/apache/incubator-trafficcontrol/pull/356#discussion_r106016265
  
    --- Diff: traffic_ops/app/lib/UI/GenDbDump.pm ---
    @@ -17,11 +17,17 @@ package UI::GenDbDump;
     #
     use Mojo::Base 'Mojolicious::Controller';
     use Data::Dumper;
    +use UI::Utils;
     
     sub dbdump {
     	my $self = shift;
     	my $filename = $self->param('filename');
     
    +	if ( !&is_oper($self) ) {
    +		$self->internal_server_error( { Error => "Insufficient permissions for DB Dump. Admin access is required." } );	
    --- End diff --
    
    Fixed.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] incubator-trafficcontrol pull request #356: Security Enhancement - secures D...

Posted by mitchell852 <gi...@git.apache.org>.

Github user mitchell852 commented on a diff in the pull request:

    https://github.com/apache/incubator-trafficcontrol/pull/356#discussion_r106014242
  
    --- Diff: traffic_ops/app/lib/UI/GenDbDump.pm ---
    @@ -17,11 +17,17 @@ package UI::GenDbDump;
     #
     use Mojo::Base 'Mojolicious::Controller';
     use Data::Dumper;
    +use UI::Utils;
     
     sub dbdump {
     	my $self = shift;
     	my $filename = $self->param('filename');
     
    +	if ( !&is_oper($self) ) {
    +		$self->internal_server_error( { Error => "Insufficient permissions for DB Dump. Admin access is required." } );	
    --- End diff --
    
    your error message is not quite right :)
    
    Admin OR ops role is required...


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---