Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-22424

Anyone can access wiki attachments list and metadata via REST API

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A

    Description

      Hello, 

      I was testing the XWiki REST API for implementing some custom scripts when I noticed that the /rest/wikis/WikiName/attachments endpoint does not require authentication. Using the "number" query parameter to increase the result count, I am able to get complete lists of wiki attachments including metadata like authors.

      It is important to mention that this access only allows a listing of attachments and metadata. However, I still find it rather critical as things like hierarchy, names of files, page naming, and authors can still reveal sensitive information.

      I did test my configuration in a number of ways and did not find a way to disable this access. The two "exclude unregistered users" checkboxes are set and I restricted the Guest User denying every right. I also tested in multiple browsers and on private devices to exclude any chance of unnoticed persisting sessions.

      It would be great if you could confirm if this is intended behavior or a bad configuration from my side. For testing, I was able to use two seperate Instances of Image 15.10.11-postgres-tomcat. For user authentication we use the oidc-authenticator, but that is not relevant for API access (right?).

       To reproduce:

      Attachments

        Issue Links

          Activity

            People

              tmortagne Thomas Mortagne
              lukasmonert Lukas Monert
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: