Edgewall Software
Modify

Opened 14 years ago

Closed 14 years ago

#10187 closed defect (fixed)

"related" pages listed even without WIKI_VIEW

Reported by: david@… Owned by: Remy Blank
Priority: high Milestone: 0.12.3
Component: wiki system Version: 0.12.1
Severity: major Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

When accessing a nonexistent page, the page which prompts to create it also displays a list of "related" pages. Pages for which the user has no WIKI_VIEW privilege should not be listed; instead they are, exposing the wiki to an information leak. (OTOH such pages are correctly removed from the list generated via the "Index" link.)

I'm no Trac innards expert, but it looks like an extra check against WIKI_VIEW would be needed around there: http://trac.edgewall.org/browser//trunk/trac/wiki/web_ui.py#L614

Attachments (0)

Change History (2)

comment:1 by Remy Blank, 14 years ago

Milestone: 0.12.3
Owner: set to Remy Blank
Priority: normalhigh

Spot on! Thanks for the report. Would you mind providing a patch that adds the relevant permission check?

comment:2 by Remy Blank, 14 years ago

Resolution: fixed
Status: newclosed

Fixed in [10705].

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Remy Blank.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Remy Blank to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.