Mercurial > p > roundup > code
diff CHANGES.txt @ 4437:261c9f913ff7
- Add explicit "Search" permissions, see Security Fix below.
- Security Fix: Add a check for search-permissions: now we allow
searching for properties only if the property is readable without a
check method or if an explicit search permission (see above unter
"Features) is given for the property. This fixes cases where a user
doesn't have access to a property but can deduce the content by
crafting a clever search, group or sort query.
see doc/upgrading.txt for how to fix your trackers!
| author | Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net> |
|---|---|
| date | Tue, 19 Oct 2010 15:29:05 +0000 |
| parents | 386200d0c929 |
| children | 3ef12483c4bf |
line wrap: on
line diff
--- a/CHANGES.txt Tue Oct 19 00:41:29 2010 +0000 +++ b/CHANGES.txt Tue Oct 19 15:29:05 2010 +0000 @@ -2,10 +2,22 @@ are given with the most recent entry first. If no other name is given, Richard Jones did the change. -20X0-XX-XX +20XX-XX-XX 1.4.17 (rXXXX) + +Features: + +- Add explicit "Search" permissions, see Security Fix below. Fixed: + - Some minor typos fixed in doc/customizing.txt (Thanks Ralf Hemmecke). +- Security Fix: Add a check for search-permissions: now we allow + searching for properties only if the property is readable without a + check method or if an explicit search permission (see above unter + "Features) is given for the property. This fixes cases where a user + doesn't have access to a property but can deduce the content by + crafting a clever search, group or sort query. + see doc/upgrading.txt for how to fix your trackers! 2010-10-08 1.4.16 (r4541)