Traversal and security

Bug #79778 reported by Marius Gedminas
10
Affects Status Importance Assigned to Milestone
SchoolTool
Won't Fix
Undecided
Unassigned

Bug Description

In the SchoolTool server only page rendering is protected, but URL traversal is
not. It should be.

In other words, if you try to browse /persons/manager in the web app, you will
get a login page, but if you browse to /persons/nosuchperson, you will get a 404
not found error instead. You should get the login page in both cases.

Tags: security
Revision history for this message
Albertas Agejevas (alga) wrote :

This bug is still relevant in Zope 3-based SchoolBell.

Changed in schooltool:
status: In Progress → Confirmed
Changed in schooltool:
importance: Medium → Undecided
Changed in schooltool:
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.