Uploaded image for project: 'XWiki Rendering'
  1. XWiki Rendering
  2. XRENDERING-689

Default macro content parser doesn't preserve restricted contexts

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      Create a comment with content 

      {{cache}}{{groovy}}println("Hello from Groovy!"){{/groovy}}{{/cache}}

      Expected result:

      An error is displayed as the Groovy macro cannot be used in restricted mode.

      Actual result:

      The string "Hello from Groovy!" is displayed.

      This demonstrates a privilege escalation from comment to programming rights. This bug is not specific to the cache macro but can be reproduced with any macro that uses the macro content parser with the transform parameter set to true as the default macro content parser doesn't preserve the restricted attribute of the transformation context.

      This has always been the case since the introduction of the restricted attribute in XWIKI-7878.

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-20375 RCE via comment

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          links to

          Web Link GitHub Security advisory

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: