Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
7.0-rc-1
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
Open <xwiki-host>/xwiki/bin/view/%22%2F%7D%7D%7B%7B%2Fhtml%7D%7D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=XWiki.ClassSheet&xpage=view, where <xwiki-host> is the URL of your XWiki installation.
Expected result:
An empty Live Data is displayed under "Existing pages". Buttons to create the sheet and the template are displayed below the respective headings.
Actual result:
The text
The following pages have objects described by this class.
The [liveData] macro is a standalone macro and it cannot be used inline. Click on this message for details.
{{/html}} Hello from groovy!.WebHome"
is displayed below "Existing pages". Below the "Class Sheets" and "Class Template" headings, errors are displayed together with the output Hello from groovy!.WebHome"/> This shows that the Groovy macro from the URL was executed three times and thus demonstrates a privilege escalation from view to programming right.
The first occurrence has been introduced by the migration to Live Data in XWIKI-18757 and thus affects releases starting with 13.10-rc-1. The other two exist since the introduction of the sheet in XWIKI-11904 and thus since 7.0-rc-1.
Attachments
Issue Links
- links to