Commits

jonas  committed e877a48

Trac 0.8.4 Released.

This release contains a security fix for a file upload vulnerability. Everyone
is recommended to upgrade.

  • Participants
  • Parent commits f43451f
  • Branches 0.8-stable
  • Tags trac-0.8.4

Comments (0)

Files changed (5)

+Trac 0.8.4  (Jun 19, 2005)
+http://svn.edgewall.com/repos/trac/tags/trac-0.8.4
+
+ * Fixed file upload vulnerability. Trac could be tricked into uploading
+   files outside the environment directory. All users are recommended to
+   upgrade. Vulnerability found by the Hardened-PHP project.
+
+
 Trac 0.8.3  (Jun 15, 2005)
 http://svn.edgewall.com/repos/trac/tags/trac-0.8.3
 
-Trac 0.8.3 Release Notes
+Trac 0.8.4 Release Notes
 ========================
-Jun 15, 2005
+Jun 19, 2005
 
-We're proud to present our latest release - Trac 0.8.3.
+We're proud to present our latest release - Trac 0.8.4.
 
 Trac is an enhanced wiki and issue tracking system, integrated with
 Subversion, for software development projects. Trac uses a minimalistic
 
 What's New
 ----------
-A brief summary of major changes for this release:
 
- * Fix compatibility of 'trac-admin resync' with Subversion >= 1.2.
- * Settings page now works correctly when Trac is deployed at the
-   root of a host.
- * Windows packaging issues resolved.
+This release contains a security update. Trac <= 0.8.3 could be tricked into 
+uploading files outside the environment directory. All users are recommended 
+to upgrade. Vulnerability found by the Hardened-PHP project.
 
 For a more complete list of improvements, see the ChangeLog at:
 

File trac/File.py

         if not self.attachment_type or not self.attachment_id:
             raise util.TracError('Unknown request')
 
+        if '..' in self.attachment_id.split('/'):
+            raise util.TracError('Unknown request')
+        
         if self.filename and len(self.filename) > 0 and \
                self.args.has_key('delete'):
             perm_map = {'ticket': perm.TICKET_ADMIN, 'wiki': perm.WIKI_DELETE}

File trac/__init__.py

 """
 __docformat__ = 'epytext en'
 
-__version__ = '0.8.3'
+__version__ = '0.8.4'
 __url__ = 'http://trac.edgewall.com/'
 __copyright__ = '(C) 2003,2004,2005 Edgewall Software'
 __license__ = 'GNU General Public License version 2'

File wiki-default/WikiStart

-= Welcome to Trac 0.8.3 =
+= Welcome to Trac 0.8.4 =
 
 Trac is a '''minimalistic''' approach to '''web-based''' management of
 '''software projects'''. Its goal is to simplify effective tracking and handling of software issues, enhancements and overall progress.