Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20380

It's possible to execute anything with any author through Document#getAuthors()

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A

    Description

      Regression caused by XWIKI-19125 (which introduced Document#getAuthors()).

      To reproduce:

      As a user having SCRIPT right but not PROGRAMMING right:

      • create a document with the following content
      {{velocity}}
$doc.setContent('{{velocity}}$xcontext.context.authorReference{{/velocity}}')
$doc.authors.setContentAuthor('xwiki:XWiki.superadmin')
$doc.getRenderedContent()
{{/velocity}}

      The script show "<p>xwiki:XWiki.superadmin</p>" indicating that it was executed with the right of the superadmin user.

      Document#getAuthors() just return directly XWikiDocument#getAuthors() without any kind of wrapper to protect DocumentAuthors#set* calls which have two problem:

      • it's might modify directly the XWikiDocument from the document cache because it does not use getDoc() (which is in charge of closing the XWikiDocument when it's not already the case)
      • while it's not a lasting problem because any call to #save will override those changes, you can change the author and then call any of the #display or #getRenderingContent methods which are going to rely on those modified authors

      Attachments

        Issue Links

          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-19125 Introduce a displayedAuthor in XWikiDocument

          • Major - Major loss of function.
          • Closed

          Activity

            People

              surli Simon Urli
              tmortagne Thomas Mortagne
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: