Livetable results allow reconstructing title, content and object fields of inaccessible documents with many requests

Steps to Reproduce:

1. Restrict "view" access to Sandbox.TestPage3 by setting an explicit view right for admins
2. As a user who is not an admin, open <server>/bin/get/XWiki/LiveTableResults?outputSyntax=plain&classname=&collist=doc.title%2Cdoc.location%2Cdoc.content&doc.title=Sandbo&doc.location=Sandbox.TestPage3&doc.content=dummy&limit=0 where <server> is the URL of your XWiki installation.

Expect Result:

No results are displayed as the user doesn't have view rights on Sandbox.TestPage3.

Actual Result:

The result

{"reqNo":null,"matchingtags":{},"tags":[],"totalrows":1,"returnedrows":0,"offset":1,"rows":[{"doc_viewable":false,"doc_fullName":"obfuscated"}]}

is displayed.

This reveals that a document Sandbox.TestPage3 exists (we explicitly searched for this name) which has a title containing "Sandbo" and a content containing "dummy". By starting with a single letter and then iteratively extending the match, the full content of the title/content or XObject properties can be discovered. Several tests can be combined in a single request to use binary search to narrow down the actual match from a list of possible characters/words. If the used alphabet is known and smaller than 128 distinct characters, it is possible to discover one character with 7 requests. Alternatively, frequencies of words and word pairs (2-gram frequencies) can be used to first guess whole words and only resort to guessing individual characters if none of the predicted words match, allowing a much faster recovery of the textual content. As it also depends on the content how easy the attack is and how much recovered content would be a "successful" attack, it is hard to quantify how many requests are necessary.

The issue has been reproduced on 14.5 but is most likely older.