23 Feb
2009
23 Feb
'09
12:28 p.m.
Hi Henning,
I think your remark is spot on. I'll check with Sergiu whether this should
be removed (it's quite an easy modification to do).
Actually, right now you can change it by editing the page and
replacing "<tt>${userEmail}</tt>" with "your email
address":
67: #if($mailResult == 0)
68: #info("An e-mail was sent to <tt>${userEmail}</tt>. Please follow
the
instructions in that e-mail to complete the password reset procedure.")
69: #else
Thanks for the hint,
Guillaume
On Mon, Feb 23, 2009 at 12:20 PM, Henning Sprang
<henning.sprang(a)gmail.com>wrote;wrote:
On Mon, Feb 23, 2009 at 2:08 AM, Niels Mayer
<nielsmayer(a)gmail.com> wrote:
--
Guillaume Lerouge
Product Manager - XWiki
Skype ID : wikibc
http://guillaumelerouge.com/
In XWiki 1.8RC1, this "security issue"
doesn't seem to be the case by
default.
I'll check that.
I realized I wrote a mistake in the first sentence. I didn't see the
problem of code being shown or something like that, but when I call
the resetPassword function,
the system show the _Email_ address of the username for whom I call
the resetpassword.
And because anybody can call this function for any user, as well as,
in the default setting, and for password reset and other things to
work properly, the pages that show all usernames are viewable by
unregistered users, people can harvest email addresses from all users
on the wiki.
But yes, The code viewing and execution stuff is interesting for other
threads I started these days and for the general idea that I usuall
don't like to make the whole XWiki space viewable by unregistered
users.
Henning
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs