Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-9069

Private document name leak in document index

    Details

    • keywords:
      security, access rights
    • Development Priority:
      Low
    • Difficulty:
      Hard
    • Similar issues:

      Description

      The AllDocs page expose the names of all pages (including confidential pages) to all users (including unregistered users).

      XWiki should check that the current user has the "view" right for the returned pages.

      As a temporary workaround the AllDocs page should have the "view" right restricted to the XWikiAllGroup.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                dirk@computer42.org H.-Dirk Schmitt
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Date of First Response: