diff options
| author | Andreas Gohr <gohr@cosmocode.de> | 2010-01-13 09:20:36 +0100 |
|---|---|---|
| committer | Andreas Gohr <gohr@cosmocode.de> | 2010-01-13 09:21:59 +0100 |
| commit | 96a47e5d480e6c5b3aab1884a8536ec4b8ca2fab (patch) | |
| tree | 6ef34fca4651ca476164f019d28f34157e94df16 | |
| parent | 214dce0ff011f87cd6a09c3ae89d17cf4cefc7a4 (diff) | |
| download | rpg-96a47e5d480e6c5b3aab1884a8536ec4b8ca2fab.tar.gz rpg-96a47e5d480e6c5b3aab1884a8536ec4b8ca2fab.tar.bz2 | |
fixed information leakage in ACL plugin FS#1847
| -rw-r--r-- | lib/plugins/acl/ajax.php | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/plugins/acl/ajax.php b/lib/plugins/acl/ajax.php index 54eaa8dc7..97fae2ad1 100644 --- a/lib/plugins/acl/ajax.php +++ b/lib/plugins/acl/ajax.php @@ -16,9 +16,11 @@ require_once(DOKU_INC.'inc/init.php'); require_once(DOKU_INC.'inc/common.php'); require_once(DOKU_INC.'inc/pageutils.php'); require_once(DOKU_INC.'inc/auth.php'); -//close sesseion +//close session session_write_close(); +if(!auth_ismanager()) die('forbidden'); + $ID = getID(); if(!auth_isadmin) die('for admins only'); @@ -42,6 +44,7 @@ if($ajax == 'info'){ if($ns == '*'){ $ns =''; } + $ns = cleanID($ns); $lvl = count(explode(':',$ns)); $ns = utf8_encodeFN(str_replace(':','/',$ns)); |