| 2013-08-14 11:05:35 |
Gavin Panella |
bug |
|
|
added bug |
| 2013-08-30 04:47:16 |
Julian Edwards |
maas: milestone |
|
13.10 |
|
| 2013-09-30 14:33:28 |
Raphaël Badin |
nominated for series |
|
maas/1.2 |
|
| 2013-09-30 14:33:28 |
Raphaël Badin |
bug task added |
|
maas/1.2 |
|
| 2013-09-30 14:33:28 |
Raphaël Badin |
nominated for series |
|
maas/1.3 |
|
| 2013-09-30 14:33:28 |
Raphaël Badin |
bug task added |
|
maas/1.3 |
|
| 2013-09-30 14:33:28 |
Raphaël Badin |
nominated for series |
|
maas/trunk |
|
| 2013-09-30 14:33:28 |
Raphaël Badin |
bug task added |
|
maas/trunk |
|
| 2013-09-30 14:38:05 |
Raphaël Badin |
maas/1.3: status |
New |
Triaged |
|
| 2013-09-30 14:38:08 |
Raphaël Badin |
maas/1.2: status |
New |
Triaged |
|
| 2013-09-30 14:38:10 |
Raphaël Badin |
maas/1.3: importance |
Undecided |
Critical |
|
| 2013-09-30 14:38:11 |
Raphaël Badin |
maas/1.2: importance |
Undecided |
Critical |
|
| 2013-09-30 14:38:13 |
Raphaël Badin |
maas/1.2: assignee |
|
Raphaël Badin (rvb) |
|
| 2013-09-30 14:38:14 |
Raphaël Badin |
maas/1.3: assignee |
|
Raphaël Badin (rvb) |
|
| 2013-09-30 14:38:16 |
Raphaël Badin |
maas/trunk: assignee |
|
Raphaël Badin (rvb) |
|
| 2013-10-01 12:49:41 |
Raphaël Badin |
maas/1.3: assignee |
Raphaël Badin (rvb) |
|
|
| 2013-10-01 12:49:42 |
Raphaël Badin |
maas/trunk: assignee |
Raphaël Badin (rvb) |
|
|
| 2013-10-01 12:49:44 |
Raphaël Badin |
maas/1.2: assignee |
Raphaël Badin (rvb) |
|
|
| 2013-10-18 00:11:26 |
Julian Edwards |
maas/trunk: milestone |
13.10 |
14.04 |
|
| 2014-04-10 06:22:15 |
Julian Edwards |
maas/trunk: milestone |
14.04 |
14.10 |
|
| 2014-07-07 02:08:29 |
Julian Edwards |
maas/trunk: milestone |
1.6.0 |
1.6.1 |
|
| 2014-09-02 02:29:32 |
Julian Edwards |
maas/1.2: status |
Triaged |
Won't Fix |
|
| 2014-09-02 02:29:36 |
Julian Edwards |
maas/1.3: status |
Triaged |
Won't Fix |
|
| 2014-09-02 02:29:49 |
Julian Edwards |
maas/trunk: importance |
Critical |
High |
|
| 2014-10-02 20:12:29 |
Christian Reis |
maas/trunk: importance |
High |
Critical |
|
| 2014-10-02 20:14:55 |
Christian Reis |
maas/trunk: assignee |
|
Raphaël Badin (rvb) |
|
| 2014-10-03 07:34:37 |
Raphaël Badin |
maas/trunk: assignee |
Raphaël Badin (rvb) |
|
|
| 2014-10-09 14:14:15 |
Christian Reis |
maas/trunk: assignee |
|
Raphaël Badin (rvb) |
|
| 2014-10-09 15:54:19 |
Raphaël Badin |
branch linked |
|
lp:~rvb/maas/fix-get-file-by-name-2 |
|
| 2014-10-09 21:23:07 |
Christian Reis |
maas/trunk: status |
Triaged |
In Progress |
|
| 2014-10-10 12:31:54 |
Raphaël Badin |
maas/trunk: assignee |
Raphaël Badin (rvb) |
Christian Reis (kiko) |
|
| 2014-10-10 15:27:07 |
Gavin Panella |
description |
maasserver.api.get_file_by_name is used to define a couple of API operations: AnonFilesHandler.get_by_name and FilesHandler.get_by_name. However, it does not verify ownership of the file, thus allowing anyone to download any file. FileHandler.read is an example of what should be done.
get_file_by_key may be similarly vulnerable. |
maasserver.api.get_file_by_name is used to define a couple of API operations: AnonFilesHandler.get_by_name and FilesHandler.get_by_name. However, it does not verify ownership of the file, thus allowing anyone to download any file. FileHandler.read is an example of what should be done.
get_file_by_key may be similarly vulnerable; filed as bug 1379826. |
|
| 2014-10-10 15:41:53 |
James Troup |
bug |
|
|
added subscriber The Canonical Sysadmins |
| 2014-10-14 20:49:47 |
Christian Reis |
bug |
|
|
added subscriber Kapil Thangavelu |
| 2014-10-14 20:50:07 |
Christian Reis |
bug |
|
|
added subscriber Ante Karamatić |
| 2014-10-14 20:50:50 |
Christian Reis |
bug |
|
|
added subscriber Antonio Rosales |
| 2014-10-14 20:51:14 |
Christian Reis |
bug |
|
|
added subscriber Alexis Bruemmer |
| 2014-10-14 20:51:17 |
Christian Reis |
bug |
|
|
added subscriber Mark Shuttleworth |
| 2014-10-16 05:08:42 |
Julian Edwards |
bug |
|
|
added subscriber Ubuntu Security Team |
| 2014-10-17 07:49:14 |
Raphaël Badin |
maas/trunk: milestone |
1.7.0 |
next |
|
| 2014-10-17 07:49:16 |
Raphaël Badin |
maas/trunk: assignee |
Christian Reis (kiko) |
|
|
| 2014-10-17 07:49:20 |
Raphaël Badin |
maas/trunk: status |
In Progress |
Triaged |
|
| 2014-10-30 20:26:25 |
Christian Reis |
maas/trunk: milestone |
next |
1.7.2 |
|
| 2015-01-28 14:12:06 |
Andres Rodriguez |
bug |
|
|
added subscriber Andreas Hasenack |
| 2015-01-28 18:11:00 |
Christian Reis |
maas/trunk: status |
Triaged |
In Progress |
|
| 2015-01-30 15:53:18 |
Marc Deslauriers |
cve linked |
|
2014-1426 |
|
| 2015-02-02 04:51:29 |
Barry Price |
removed subscriber Kapil Thangavelu |
|
|
|
| 2015-02-27 11:25:46 |
Raphaël Badin |
nominated for series |
|
maas/1.5 |
|
| 2015-02-27 11:25:46 |
Raphaël Badin |
bug task added |
|
maas/1.5 |
|
| 2015-02-27 11:25:46 |
Raphaël Badin |
nominated for series |
|
maas/1.7 |
|
| 2015-02-27 11:25:46 |
Raphaël Badin |
bug task added |
|
maas/1.7 |
|
| 2015-03-03 16:35:20 |
Andres Rodriguez |
maas/trunk: milestone |
1.7.2 |
1.7.3 |
|
| 2015-03-03 17:47:55 |
Christian Reis |
maas/1.7: milestone |
|
1.7.3 |
|
| 2015-03-03 17:47:58 |
Christian Reis |
maas/trunk: milestone |
1.7.3 |
next |
|
| 2015-10-21 04:10:34 |
Tyler Hicks |
bug |
|
|
added subscriber Adam Conrad |
| 2016-04-13 14:25:10 |
Blake Rouse |
maas/1.5: status |
New |
Won't Fix |
|
| 2016-04-13 14:25:17 |
Blake Rouse |
maas/1.7: status |
New |
Won't Fix |
|
| 2016-04-13 14:25:23 |
Blake Rouse |
nominated for series |
|
maas/1.9 |
|
| 2016-04-13 14:25:23 |
Blake Rouse |
bug task added |
|
maas/1.9 |
|
| 2016-04-13 14:25:30 |
Blake Rouse |
maas/1.9: status |
New |
Triaged |
|
| 2016-04-13 14:25:32 |
Blake Rouse |
maas/1.9: importance |
Undecided |
Critical |
|
| 2016-04-13 14:25:35 |
Blake Rouse |
maas/1.9: assignee |
|
Blake Rouse (blake-rouse) |
|
| 2016-04-13 14:25:37 |
Blake Rouse |
maas/trunk: assignee |
|
Blake Rouse (blake-rouse) |
|
| 2016-04-13 14:25:41 |
Blake Rouse |
maas/1.9: status |
Triaged |
In Progress |
|
| 2016-04-13 14:25:43 |
Blake Rouse |
maas/1.9: milestone |
|
1.9.2 |
|
| 2016-04-13 14:25:45 |
Blake Rouse |
maas/trunk: milestone |
next |
2.0.0 |
|
| 2016-04-13 14:25:48 |
Blake Rouse |
maas/1.7: milestone |
1.7.3 |
|
|
| 2016-04-13 15:36:21 |
Launchpad Janitor |
branch linked |
|
lp:~maas-maintainers/maas/fix-get-file-by-name-1.9 |
|
| 2016-04-13 15:42:42 |
Blake Rouse |
maas/trunk: status |
In Progress |
Fix Committed |
|
| 2016-04-13 16:31:19 |
MAAS Lander |
maas/1.9: status |
In Progress |
Fix Committed |
|
| 2016-04-28 18:46:16 |
Andres Rodriguez |
maas/1.9: status |
Fix Committed |
Fix Released |
|
| 2016-08-18 11:19:10 |
Andres Rodriguez |
maas: status |
Fix Committed |
Fix Released |
|
| 2017-02-19 21:09:57 |
Michael Foley |
removed subscriber Alexis Bruemmer |
|
|
|
| 2017-04-11 20:17:31 |
Jamon Camisso |
removed subscriber Gavin Panella |
|
|
|
| 2017-04-12 06:58:49 |
Nick Moffitt |
removed subscriber Antonio Rosales |
|
|
|
| 2017-10-11 14:14:51 |
Tom Haddon |
removed subscriber The Canonical Sysadmins |
|
|
|
| 2017-12-20 07:48:07 |
Mark Shuttleworth |
removed subscriber Mark Shuttleworth |
|
|
|
| 2019-03-21 03:16:33 |
Seth Arnold |
information type |
Private Security |
Public Security |
|
| 2019-03-21 03:16:36 |
Seth Arnold |
bug |
|
|
added subscriber Ubuntu Bugs |
