What I find weird, is that I thought I had protected these functions *public* List search(String wheresql) *throws* XWikiException { *return* xwiki.search(wheresql, context); } *public* List search(String wheresql, *int* nb, *int* start) *throws* XWikiException { *return* xwiki.search(wheresql, nb, start, context); } It should be *public* List search(String wheresql) *throws* XWikiException { if (checkProgrammingRights()) *return* xwiki.search(wheresql, context); return null; } *public* List search(String wheresql, *int* nb, *int* start) *throws* XWikiException { if (checkProgrammingRights()) *return* xwiki.search(wheresql, nb, start, context); else return null } This is annoying and needs to be fixed. Concerning the searchDocuments function this actually secures documents from being read by the search function when users are not allowed However without wrapping them they can be modified in memory which is bad *if* (checkRight) { *if* (context.getWiki().getRightService().checkAccess(*"view"*, doc, context)==*false*) *continue*; } I've commited changes for these two issues Ludovic Matthew Conway a écrit :
Its easy enough to fix, but if any view layer depends on the extra access, it will break. Is it ok to break people that are wrongly depending on a security hole to get more access?
Something like wrapping the returned lists with a call to wrapDocs would work:
private List wrapDocs(List docs) { List result = new ArrayList(); if (docs != null) { for (Iterator iter = result.iterator(); iter.hasNext();) { XWikiDocument doc = (XWikiDocument) iter.next(); Document wrappedDoc = new Document(doc, context); result.add(wrappedDoc); } } return result; }
Matt
On Feb 24, 2006, at 8:50 PM, Ludovic Dubost wrote:
There is a bug in this API.. I have been notified of that one recently. We need to fix it
Ludovic
Matthew Conway a écrit :
Isn't it a potential security hole for com.xpn.xwiki.api.XWiki.searchDocuments(*) to return a list of XWikiDocument instead of wrapping them in a Document like the other API methods do?
Matt
------------------------------------------------------------------------
-- You receive this message as a subscriber of the [email protected] mailing list. To unsubscribe: mailto:[email protected] For general help: mailto:[email protected]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
--Ludovic Dubost XPertNet: http://www.xpertnet.fr/ Blog: http://www.ludovic.org/blog/ XWiki: http://www.xwiki.com Skype: ldubost AIM: nvludo Yahoo: ludovic
-- You receive this message as a subscriber of the [email protected] mailing list. To unsubscribe: mailto:[email protected] For general help: mailto:[email protected]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
------------------------------------------------------------------------
-- You receive this message as a subscriber of the [email protected] mailing list. To unsubscribe: mailto:[email protected] For general help: mailto:[email protected]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
-- Ludovic Dubost XPertNet: http://www.xpertnet.fr/ Blog: http://www.ludovic.org/blog/ XWiki: http://www.xwiki.com Skype: ldubost AIM: nvludo Yahoo: ludovic