security hole? - xwiki-devs@xwiki.org - lists.xwiki.org

List overview All Threads
Download

security hole?

XWiki licence changed to LGPL

Custom Mapping for Classes

Matthew Conway

24 Feb 2006 24 Feb '06

11:19 p.m.

Isn't it a potential security hole for com.xpn.xwiki.api.XWiki.searchDocuments(*) to return a list of XWikiDocument instead of wrapping them in a Document like the other API methods do? Matt

Reply

Show replies by date

Ludovic Dubost

25 Feb 25 Feb

2:50 a.m.

New subject: [xwiki-dev] security hole?

There is a bug in this API.. I have been notified of that one recently. We need to fix it Ludovic Matthew Conway a écrit :

Isn't it a potential security hole for com.xpn.xwiki.api.XWiki.searchDocuments(*) to return a list of XWikiDocument instead of wrapping them in a Document like the other API methods do? Matt ------------------------------------------------------------------------ -- You receive this message as a subscriber of the xwiki-dev(a)objectweb.org mailing list. To unsubscribe: mailto:xwiki-dev-unsubscribe@objectweb.org For general help: mailto:sympa@objectweb.org?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

-- Ludovic Dubost XPertNet: http://www.xpertnet.fr/ Blog: http://www.ludovic.org/blog/ XWiki: http://www.xwiki.com Skype: ldubost AIM: nvludo Yahoo: ludovic

Reply

Matthew Conway

3 a.m.

New subject: [xwiki-dev] security hole?

Its easy enough to fix, but if any view layer depends on the extra access, it will break. Is it ok to break people that are wrongly depending on a security hole to get more access? Something like wrapping the returned lists with a call to wrapDocs would work: private List wrapDocs(List docs) { List result = new ArrayList(); if (docs != null) { for (Iterator iter = result.iterator(); iter.hasNext();) { XWikiDocument doc = (XWikiDocument) iter.next(); Document wrappedDoc = new Document(doc, context); result.add(wrappedDoc); } } return result; } Matt On Feb 24, 2006, at 8:50 PM, Ludovic Dubost wrote:

There is a bug in this API.. I have been notified of that one recently. We need to fix it Ludovic Matthew Conway a écrit :

Isn't it a potential security hole for com.xpn.xwiki.api.XWiki.searchDocuments(*) to return a list of XWikiDocument instead of wrapping them in a Document like the other API methods do? Matt --------------------------------------------------------------------- --- -- You receive this message as a subscriber of the xwiki- dev(a)objectweb.org mailing list. To unsubscribe: mailto:xwiki-dev-unsubscribe@objectweb.org For general help: mailto:sympa@objectweb.org?subject=help ObjectWeb mailing lists service home page: http:// www.objectweb.org/wws

-- Ludovic Dubost XPertNet: http://www.xpertnet.fr/ Blog: http://www.ludovic.org/blog/ XWiki: http://www.xwiki.com Skype: ldubost AIM: nvludo Yahoo: ludovic -- You receive this message as a subscriber of the xwiki- dev(a)objectweb.org mailing list. To unsubscribe: mailto:xwiki-dev-unsubscribe@objectweb.org For general help: mailto:sympa@objectweb.org?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/ wws

Reply

jeremi joslin

9:54 a.m.

New subject: [xwiki-dev] security hole?

On 2/25/06, Matthew Conway <conway(a)tripadvisor.com> wrote:

Its easy enough to fix, but if any view layer depends on the extra access, it will break. Is it ok to break people that are wrongly depending on a security hole to get more access?

Yes, we will not let a security hole in the api. Jérémi -- Blog: http://www.jeremi.info LinkedIn: https://www.linkedin.com/profile?viewProfile=&key=1437724 Project Manager XWiki: http://www.xwiki.org skype: jeremi23 -- msn et gtalk : jeremi23(a)gmail.com

Reply

Ludovic Dubost

noon

New subject: [xwiki-dev] security hole?

What I find weird, is that I thought I had protected these functions *public* List search(String wheresql) *throws* XWikiException { *return* xwiki.search(wheresql, context); } *public* List search(String wheresql, *int* nb, *int* start) *throws* XWikiException { *return* xwiki.search(wheresql, nb, start, context); } It should be *public* List search(String wheresql) *throws* XWikiException { if (checkProgrammingRights()) *return* xwiki.search(wheresql, context); return null; } *public* List search(String wheresql, *int* nb, *int* start) *throws* XWikiException { if (checkProgrammingRights()) *return* xwiki.search(wheresql, nb, start, context); else return null } This is annoying and needs to be fixed. Concerning the searchDocuments function this actually secures documents from being read by the search function when users are not allowed However without wrapping them they can be modified in memory which is bad *if* (checkRight) { *if* (context.getWiki().getRightService().checkAccess(*"view"*, doc, context)==*false*) *continue*; } I've commited changes for these two issues Ludovic Matthew Conway a écrit :

Its easy enough to fix, but if any view layer depends on the extra access, it will break. Is it ok to break people that are wrongly depending on a security hole to get more access? Something like wrapping the returned lists with a call to wrapDocs would work: private List wrapDocs(List docs) { List result = new ArrayList(); if (docs != null) { for (Iterator iter = result.iterator(); iter.hasNext();) { XWikiDocument doc = (XWikiDocument) iter.next(); Document wrappedDoc = new Document(doc, context); result.add(wrappedDoc); } } return result; } Matt On Feb 24, 2006, at 8:50 PM, Ludovic Dubost wrote:

There is a bug in this API.. I have been notified of that one recently. We need to fix it Ludovic Matthew Conway a écrit :

Isn't it a potential security hole for com.xpn.xwiki.api.XWiki.searchDocuments(*) to return a list of XWikiDocument instead of wrapping them in a Document like the other API methods do? Matt ------------------------------------------------------------------------ -- You receive this message as a subscriber of the xwiki-dev(a)objectweb.org mailing list. To unsubscribe: mailto:xwiki-dev-unsubscribe@objectweb.org For general help: mailto:sympa@objectweb.org?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

--Ludovic Dubost XPertNet: http://www.xpertnet.fr/ Blog: http://www.ludovic.org/blog/ XWiki: http://www.xwiki.com Skype: ldubost AIM: nvludo Yahoo: ludovic -- You receive this message as a subscriber of the xwiki-dev(a)objectweb.org mailing list. To unsubscribe: mailto:xwiki-dev-unsubscribe@objectweb.org For general help: mailto:sympa@objectweb.org?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

------------------------------------------------------------------------ -- You receive this message as a subscriber of the xwiki-dev(a)objectweb.org mailing list. To unsubscribe: mailto:xwiki-dev-unsubscribe@objectweb.org For general help: mailto:sympa@objectweb.org?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

-- Ludovic Dubost XPertNet: http://www.xpertnet.fr/ Blog: http://www.ludovic.org/blog/ XWiki: http://www.xwiki.com Skype: ldubost AIM: nvludo Yahoo: ludovic

Reply

6831

days inactive

6832

days old

xwiki-devs@xwiki.org

Manage subscription

4 comments

3 participants

tags (0)

participants (3)

jeremi joslin
Ludovic Dubost
Matthew Conway