diff options
| author | Michael Hamann <michael@content-space.de> | 2011-01-16 13:30:49 +0100 |
|---|---|---|
| committer | Michael Hamann <michael@content-space.de> | 2011-01-16 13:53:47 +0100 |
| commit | eff795ac6482d5885761f6688ce183c66becd7e1 (patch) | |
| tree | 6b33fbbaa46adcfd4e7f354ccb66bdef2c76f8c5 /lib/exe/xmlrpc.php | |
| parent | 876d3278dce690fbf6a38e29a82e8bad24813fe7 (diff) | |
| download | rpg-eff795ac6482d5885761f6688ce183c66becd7e1.tar.gz rpg-eff795ac6482d5885761f6688ce183c66becd7e1.tar.bz2 | |
Fix several security issues in the XML-RPC interface
For locks and getRevisions there hasn't been any acl check. In many
other cases the id hadn't been cleaned before the acl check was done
which means that many acl rules that should be applied weren't applied.
So e.g. when you have read permissions for the root namespace but not
for a subnamespace you could add a leading ":" and the permissions for
the root namespace will be used instead of the permissions for the
subnamespace. This did not apply to writing pages and reading media
files, but writing and deleting media files have been concerned as well
as reading both plain and html versions of pages.
This only concerns installations where XML-RPC is enabled (default is
disabled) and XML-RPC is allowed for all or untrusted users.
Diffstat (limited to 'lib/exe/xmlrpc.php')
| -rw-r--r-- | lib/exe/xmlrpc.php | 23 |
1 files changed, 18 insertions, 5 deletions
diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php index d232930a3..d40e338b2 100644 --- a/lib/exe/xmlrpc.php +++ b/lib/exe/xmlrpc.php @@ -296,6 +296,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { * Return a raw wiki page */ function rawPage($id,$rev=''){ + $id = cleanID($id); if(auth_quickaclcheck($id) < AUTH_READ){ return new IXR_Error(1, 'You are not allowed to read this page'); } @@ -351,6 +352,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { * Return a wiki page rendered to html */ function htmlPage($id,$rev=''){ + $id = cleanID($id); if(auth_quickaclcheck($id) < AUTH_READ){ return new IXR_Error(1, 'You are not allowed to read this page'); } @@ -488,6 +490,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { * Return some basic data about a page */ function pageInfo($id,$rev=''){ + $id = cleanID($id); if(auth_quickaclcheck($id) < AUTH_READ){ return new IXR_Error(1, 'You are not allowed to read this page'); } @@ -601,6 +604,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { * Michael Klier <chi@chimeric.de> */ function putAttachment($id, $file, $params) { + $id = cleanID($id); global $conf; global $lang; @@ -668,6 +672,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { * @author Gina Haeussge <osd@foosel.net> */ function deleteAttachment($id){ + $id = cleanID($id); $auth = auth_quickaclcheck(getNS($id).':*'); if($auth < AUTH_DELETE) return new IXR_ERROR(1, "You don't have permissions to delete files."); global $conf; @@ -725,6 +730,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { * Returns the permissions of a given wiki page */ function aclCheck($id) { + $id = cleanID($id); return auth_quickaclcheck($id); } @@ -734,13 +740,14 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { * @author Michael Klier <chi@chimeric.de> */ function listLinks($id) { + $id = cleanID($id); if(auth_quickaclcheck($id) < AUTH_READ){ return new IXR_Error(1, 'You are not allowed to read this page'); } $links = array(); // resolve page instructions - $ins = p_cached_instructions(wikiFN(cleanID($id))); + $ins = p_cached_instructions(wikiFN($id)); // instantiate new Renderer - needed for interwiki links include(DOKU_INC.'inc/parser/xhtml.php'); @@ -848,6 +855,10 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { * @author Michael Klier <chi@chimeric.de> */ function pageVersions($id, $first) { + $id = cleanID($id); + if(auth_quickaclcheck($id) < AUTH_READ){ + return new IXR_Error(1, 'You are not allowed to read this page'); + } global $conf; $versions = array(); @@ -923,7 +934,8 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { $unlockfail = array(); foreach((array) $set['lock'] as $id){ - if(checklock($id)){ + $id = cleanID($id); + if(auth_quickaclcheck($id) < AUTH_EDIT || checklock($id)){ $lockfail[] = $id; }else{ lock($id); @@ -932,10 +944,11 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { } foreach((array) $set['unlock'] as $id){ - if(unlock($id)){ - $unlocked[] = $id; - }else{ + $id = cleanID($id); + if(auth_quickaclcheck($id) < AUTH_EDIT || !unlock($id)){ $unlockfail[] = $id; + }else{ + $unlocked[] = $id; } } |