diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2009-11-16 23:05:23 +0100 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2009-11-16 23:05:23 +0100 |
| commit | 6fc3aa1afd3b25c8ada5bd8245997e0fa3a8cdee (patch) | |
| tree | 65df25aeec37076c80bfece7ae7d571f988af26e | |
| parent | 48c8c96f687ddf5eea6750db55be522391ba4e63 (diff) | |
| download | rpg-6fc3aa1afd3b25c8ada5bd8245997e0fa3a8cdee.tar.gz rpg-6fc3aa1afd3b25c8ada5bd8245997e0fa3a8cdee.tar.bz2 | |
Security Fix: do not allow skipacl in XMLRPC
Ignore-this: 517a7546aab86c5370cccf1aa2171490
Parameters passed to dokuwiki.getPagelist and wiki.getAttachments could
contain the option "skipacl" which would prevent ACL checking. This
could leak information about usually non-readable files (like filenames,
sizes and so on). The content of the files was not accessible.
XMLRPC is disabled by default.
darcs-hash:20091116220523-7ad00-0fa8a9a7a52076619c6836738f9a1f00a6dafe27.gz
| -rw-r--r-- | lib/exe/xmlrpc.php | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php index 61a7e4de6..9b440c9f5 100644 --- a/lib/exe/xmlrpc.php +++ b/lib/exe/xmlrpc.php @@ -379,6 +379,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { $dir = utf8_encodeFN(str_replace(':', '/', $ns)); $data = array(); require_once(DOKU_INC.'inc/search.php'); + $opts['skipacl'] = 0; // no ACL skipping for XMLRPC search($data, $conf['datadir'], 'search_allpages', $opts, $dir); return $data; } @@ -398,8 +399,8 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { $ns = cleanID($ns); - if (!is_array($options)) - $options = array(); + if (!is_array($options)) $options = array(); + $options['skipacl'] = 0; // no ACL skipping for XMLRPC if(auth_quickaclcheck($ns.':*') >= AUTH_READ) { |