Modify ↓
Opened 13 years ago
Closed 13 years ago
#10187 closed defect (fixed)
"related" pages listed even without WIKI_VIEW
| Reported by: | Owned by: | Remy Blank | |
|---|---|---|---|
| Priority: | high | Milestone: | 0.12.3 |
| Component: | wiki system | Version: | 0.12.1 |
| Severity: | major | Keywords: | |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
When accessing a nonexistent page, the page which prompts to create it also displays a list of "related" pages. Pages for which the user has no WIKI_VIEW privilege should not be listed; instead they are, exposing the wiki to an information leak. (OTOH such pages are correctly removed from the list generated via the "Index" link.)
I'm no Trac innards expert, but it looks like an extra check against WIKI_VIEW would be needed around there: http://trac.edgewall.org/browser//trunk/trac/wiki/web_ui.py#L614
Attachments (0)
Change History (2)
comment:1 by , 13 years ago
| Milestone: | → 0.12.3 |
|---|---|
| Owner: | set to |
| Priority: | normal → high |
Note:
See TracTickets
for help on using tickets.
Spot on! Thanks for the report. Would you mind providing a patch that adds the relevant permission check?