Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 15.1, 14.4.8, 14.10.6
Affects Version/s: 7.3-milestone-1
Component/s: REST
Labels:

Tests:

Unit
Development Priority:
Medium
Difficulty:
Hard
Documentation:
N/A
Documentation in Release Notes:
N/A
Pull Request Status:
Pull Request accepted
Similar issues:

Description

We need to check the obfuscation parameter and obfuscate the email if on.

Reproduction steps:

Create a user U1
Set an email
Activate email obfuscation
Query http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/XWiki/pages/U1/objects/XWiki.XWikiUsers/0 (the query must be done with a user with no edit rights on XWiki.U1 as we don't obfuscate emails for users with edit rights)

Expected

The mail is obfuscated

Actual:

The mail is displayed un-obfuscated

Actually what's really bad is that the same is true for password that are returned (hashed) to the end user, making them very easily breakable offline (e.g., rainbow tables and such)

Attachments

Issue Links

links to

GitHub Security Advisory

Activity

People

Assignee:: Manuel Leduc

Reporter:: Vincent Massol

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 13/Feb/19 17:46

Updated:: 20/Jun/23 17:03

Resolved:: 21/Feb/23 11:40

Date of First Response:: 16/Feb/19 10:39 PM