View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0026631||mantisbt||security||public||2020-01-27 14:17||2020-09-19 10:59|
|Target Version||2.24.1||Fixed in Version||2.24.1|
|Summary||0026631: file_get_visible_attachments shows private files that should be invisible to the user|
2.23.0 allows to upload private and public files, the visibility is stored at the attached bugnote. This is not taken into account in some core functions like file_get_visible_attachment. It is possibly not critical, because I don't know if a user can see the return values somewhere. print_bug_attachment_list uses this function, but the print function seems not to be called directly.
|Tags||No tags attached.|
|related to||0009802||closed||vboctor||Support attachments associated with private notes|
|related to||0027039||closed||dregad||CVE-2020-25781: Access to private bug note attachments|
|has duplicate||0026728||closed||dregad||file_get_visible_attachments shows private attachments (uploaded with a private bugnote)|
|related to||0022323||new||Missing whole "Attached Files" section|
|related to||0026893||closed||vboctor||APIs expose private attachments to users who has access to issue but not private notes|
As response to 0022323:0063574 - fits here better:
Don't know what's the intention of the developers.
As reported in 0026627 it seems attachments are always treat public, so they prevent uploading if default note state is private.
If upgrading from an older version attachments don't pinned to a note, also always public visible.
I think, the situation is different:
Yes, it is fixed in 2.24.1. @polzin can you please confirm?
I have currently no 2.24.1 installed. I will need some time to check it out, sorry.
Closing for now. @polzin please re-open or open a new issue if you had issues with this. I tested this as part of the fix in 2.24.1.