From eff795ac6482d5885761f6688ce183c66becd7e1 Mon Sep 17 00:00:00 2001
From: Michael Hamann <michael@content-space.de>
Date: Sun, 16 Jan 2011 13:30:49 +0100
Subject: Fix several security issues in the XML-RPC interface

For locks and getRevisions there hasn't been any acl check. In many
other cases the id hadn't been cleaned before the acl check was done
which means that many acl rules that should be applied weren't applied.
So e.g. when you have read permissions for the root namespace but not
for a subnamespace you could add a leading ":" and the permissions for
the root namespace will be used instead of the permissions for the
subnamespace. This did not apply to writing pages and reading media
files, but writing and deleting media files have been concerned as well
as reading both plain and html versions of pages.

This only concerns installations where XML-RPC is enabled (default is
disabled) and XML-RPC is allowed for all or untrusted users.
---
 lib/exe/xmlrpc.php | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

(limited to 'lib/exe')

diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php
index d232930a3..d40e338b2 100644
--- a/lib/exe/xmlrpc.php
+++ b/lib/exe/xmlrpc.php
@@ -296,6 +296,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * Return a raw wiki page
      */
     function rawPage($id,$rev=''){
+        $id = cleanID($id);
         if(auth_quickaclcheck($id) < AUTH_READ){
             return new IXR_Error(1, 'You are not allowed to read this page');
         }
@@ -351,6 +352,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * Return a wiki page rendered to html
      */
     function htmlPage($id,$rev=''){
+        $id = cleanID($id);
         if(auth_quickaclcheck($id) < AUTH_READ){
             return new IXR_Error(1, 'You are not allowed to read this page');
         }
@@ -488,6 +490,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * Return some basic data about a page
      */
     function pageInfo($id,$rev=''){
+        $id = cleanID($id);
         if(auth_quickaclcheck($id) < AUTH_READ){
             return new IXR_Error(1, 'You are not allowed to read this page');
         }
@@ -601,6 +604,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * Michael Klier <chi@chimeric.de>
      */
     function putAttachment($id, $file, $params) {
+        $id = cleanID($id);
         global $conf;
         global $lang;
 
@@ -668,6 +672,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * @author Gina Haeussge <osd@foosel.net>
      */
     function deleteAttachment($id){
+        $id = cleanID($id);
         $auth = auth_quickaclcheck(getNS($id).':*');
         if($auth < AUTH_DELETE) return new IXR_ERROR(1, "You don't have permissions to delete files.");
         global $conf;
@@ -725,6 +730,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
     * Returns the permissions of a given wiki page
     */
     function aclCheck($id) {
+        $id = cleanID($id);
         return auth_quickaclcheck($id);
     }
 
@@ -734,13 +740,14 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * @author Michael Klier <chi@chimeric.de>
      */
     function listLinks($id) {
+        $id = cleanID($id);
         if(auth_quickaclcheck($id) < AUTH_READ){
             return new IXR_Error(1, 'You are not allowed to read this page');
         }
         $links = array();
 
         // resolve page instructions
-        $ins   = p_cached_instructions(wikiFN(cleanID($id)));
+        $ins   = p_cached_instructions(wikiFN($id));
 
         // instantiate new Renderer - needed for interwiki links
         include(DOKU_INC.'inc/parser/xhtml.php');
@@ -848,6 +855,10 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
      * @author Michael Klier <chi@chimeric.de>
      */
     function pageVersions($id, $first) {
+        $id = cleanID($id);
+        if(auth_quickaclcheck($id) < AUTH_READ){
+            return new IXR_Error(1, 'You are not allowed to read this page');
+        }
         global $conf;
 
         $versions = array();
@@ -923,7 +934,8 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
         $unlockfail = array();
 
         foreach((array) $set['lock'] as $id){
-            if(checklock($id)){
+            $id = cleanID($id);
+            if(auth_quickaclcheck($id) < AUTH_EDIT || checklock($id)){
                 $lockfail[] = $id;
             }else{
                 lock($id);
@@ -932,10 +944,11 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
         }
 
         foreach((array) $set['unlock'] as $id){
-            if(unlock($id)){
-                $unlocked[] = $id;
-            }else{
+            $id = cleanID($id);
+            if(auth_quickaclcheck($id) < AUTH_EDIT || !unlock($id)){
                 $unlockfail[] = $id;
+            }else{
+                $unlocked[] = $id;
             }
         }
 
-- 
cgit v1.2.3