Fix several security issues in the XML-RPC interface

For locks and getRevisions there hasn't been any acl check. In many other cases the id hadn't been cleaned before the acl check was done which means that many acl rules that should be applied weren't applied. So e.g. when you have read permissions for the root namespace but not for a subnamespace you could add a leading ":" and the permissions for the root namespace will be used instead of the permissions for the subnamespace. This did not apply to writing pages and reading media files, but writing and deleting media files have been concerned as well as reading both plain and html versions of pages. This only concerns installations where XML-RPC is enabled (default is disabled) and XML-RPC is allowed for all or untrusted users.
author: Michael Hamann <michael@content-space.de> 2011-01-16 13:30:49 +0100
committer: Andreas Gohr <andi@splitbrain.org> 2011-01-16 18:36:55 +0100
commit: 29af721754761e8b633e346fefc6e1067150d83c (patch)
tree: 30b47f4df20dbc1c18c20722cd88e270195c1b20
parent: 668ecbf4f3b194e6466682ac7134425bb698237a (diff)
download: rpg-29af721754761e8b633e346fefc6e1067150d83c.tar.gz
rpg-29af721754761e8b633e346fefc6e1067150d83c.tar.bz2
1 files changed, 18 insertions, 5 deletions
diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php
index f06792361..53189d291 100644
--- a/lib/exe/xmlrpc.php
+++ b/lib/exe/xmlrpc.php
@@ -289,6 +289,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * Return a raw wiki page
      */
     function rawPage($id,$rev=''){
+        $id = cleanID($id);
         if(auth_quickaclcheck($id) < AUTH_READ){
             return new IXR_Error(1, 'You are not allowed to read this page');
         }
@@ -344,6 +345,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * Return a wiki page rendered to html
      */
     function htmlPage($id,$rev=''){
+        $id = cleanID($id);
         if(auth_quickaclcheck($id) < AUTH_READ){
             return new IXR_Error(1, 'You are not allowed to read this page');
         }
@@ -481,6 +483,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * Return some basic data about a page
      */
     function pageInfo($id,$rev=''){
+        $id = cleanID($id);
         if(auth_quickaclcheck($id) < AUTH_READ){
             return new IXR_Error(1, 'You are not allowed to read this page');
         }
@@ -583,6 +586,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * Michael Klier <chi@chimeric.de>
      */
     function putAttachment($id, $file, $params) {
+        $id = cleanID($id);
         global $conf;
         global $lang;
 
@@ -650,6 +654,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * @author Gina Haeussge <osd@foosel.net>
      */
     function deleteAttachment($id){
+        $id = cleanID($id);
         $auth = auth_quickaclcheck(getNS($id).':*');
         if($auth < AUTH_DELETE) return new IXR_ERROR(1, "You don't have permissions to delete files.");
         global $conf;
@@ -707,6 +712,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
     * Returns the permissions of a given wiki page
     */
     function aclCheck($id) {
+        $id = cleanID($id);
         return auth_quickaclcheck($id);
     }
 
@@ -716,13 +722,14 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * @author Michael Klier <chi@chimeric.de>
      */
     function listLinks($id) {
+        $id = cleanID($id);
         if(auth_quickaclcheck($id) < AUTH_READ){
             return new IXR_Error(1, 'You are not allowed to read this page');
         }
         $links = array();
 
         // resolve page instructions
-        $ins   = p_cached_instructions(wikiFN(cleanID($id)));
+        $ins   = p_cached_instructions(wikiFN($id));
 
         // instantiate new Renderer - needed for interwiki links
         include(DOKU_INC.'inc/parser/xhtml.php');
@@ -830,6 +837,10 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * @author Michael Klier <chi@chimeric.de>
      */
     function pageVersions($id, $first) {
+        $id = cleanID($id);
+        if(auth_quickaclcheck($id) < AUTH_READ){
+            return new IXR_Error(1, 'You are not allowed to read this page');
+        }
         global $conf;
 
         $versions = array();
@@ -905,7 +916,8 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
         $unlockfail = array();
 
         foreach((array) $set['lock'] as $id){
-            if(checklock($id)){
+            $id = cleanID($id);
+            if(auth_quickaclcheck($id) < AUTH_EDIT || checklock($id)){
                 $lockfail[] = $id;
             }else{
                 lock($id);
@@ -914,10 +926,11 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
         }
 
         foreach((array) $set['unlock'] as $id){
-            if(unlock($id)){
-                $unlocked[] = $id;
-            }else{
+            $id = cleanID($id);
+            if(auth_quickaclcheck($id) < AUTH_EDIT || !unlock($id)){
                 $unlockfail[] = $id;
+            }else{
+                $unlocked[] = $id;
             }
         }
author	Michael Hamann <michael@content-space.de>	2011-01-16 13:30:49 +0100
committer	Andreas Gohr <andi@splitbrain.org>	2011-01-16 18:36:55 +0100
commit	29af721754761e8b633e346fefc6e1067150d83c (patch)
tree	30b47f4df20dbc1c18c20722cd88e270195c1b20
parent	668ecbf4f3b194e6466682ac7134425bb698237a (diff)
download	rpg-29af721754761e8b633e346fefc6e1067150d83c.tar.gz rpg-29af721754761e8b633e346fefc6e1067150d83c.tar.bz2