diff options
| author | Michael Hamann <michael@content-space.de> | 2011-01-16 13:30:49 +0100 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2011-01-16 18:36:55 +0100 |
| commit | 29af721754761e8b633e346fefc6e1067150d83c (patch) | |
| tree | 30b47f4df20dbc1c18c20722cd88e270195c1b20 /lib/scripts/toolbar.js | |
| parent | 668ecbf4f3b194e6466682ac7134425bb698237a (diff) | |
| download | rpg-29af721754761e8b633e346fefc6e1067150d83c.tar.gz rpg-29af721754761e8b633e346fefc6e1067150d83c.tar.bz2 | |
Fix several security issues in the XML-RPC interface
For locks and getRevisions there hasn't been any acl check. In many
other cases the id hadn't been cleaned before the acl check was done
which means that many acl rules that should be applied weren't applied.
So e.g. when you have read permissions for the root namespace but not
for a subnamespace you could add a leading ":" and the permissions for
the root namespace will be used instead of the permissions for the
subnamespace. This did not apply to writing pages and reading media
files, but writing and deleting media files have been concerned as well
as reading both plain and html versions of pages.
This only concerns installations where XML-RPC is enabled (default is
disabled) and XML-RPC is allowed for all or untrusted users.
Diffstat (limited to 'lib/scripts/toolbar.js')
0 files changed, 0 insertions, 0 deletions