0000076: potencial security issue: on GUI each client (not only admin) can see physical location of nzb directory

View Issue Details [ Jump to Notes ]

[ << ] [ >> ]

[ Issue History ] [ Print ]

Project

Tags

No tags attached.

Attached Files

ninan-76.patch [^] (974 bytes) 2009-01-31 19:58 [Show Content] [Hide Content]

Index: ninan-frontend/src/main/java/dk/team/ninan/frontend/wicket/UploadPanel.java
===================================================================
--- ninan-frontend/src/main/java/dk/team/ninan/frontend/wicket/UploadPanel.java	(revision 3061)
+++ ninan-frontend/src/main/java/dk/team/ninan/frontend/wicket/UploadPanel.java	(working copy)
@@ -63,7 +63,13 @@
         ajaxSimpleUploadForm.add(new FeedbackPanel("uploadFeedback"));
 
         // Add folder view
-        ajaxSimpleUploadForm.add(new Label("dir", uploadFolder.getAbsolutePath()));
+		String uploadFolderName;
+		if (isAdmin()) {
+			uploadFolderName = uploadFolder.getAbsolutePath();
+		} else {
+			uploadFolderName = uploadFolder.getName();
+		}
+        ajaxSimpleUploadForm.add(new Label("dir", uploadFolderName));
         files.addAll(Arrays.asList(uploadFolder.listFiles()));
         fileListView = new FileListView("fileList", files);
         ajaxSimpleUploadForm.add(fileListView);

Relationships

Notes
(0000023) abryzak (reporter) 2009-01-31 19:58	I've created a patch that will make the absolute path only be displayed for admin users.

Issue History
Date Modified	Username	Field	Change
2008-10-29 14:25	jmi	New Issue
2009-01-31 19:58	abryzak	File Added: ninan-76.patch
2009-01-31 19:58	abryzak	Note Added: 0000023