Details
-
Bug
-
Resolution: Fixed
-
Major
-
6.1-milestone-1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
The lesscss script service checks programming right but only of the context document, not of the secure document. Further, it doesn't take dropped permissions into account. While this is a security issue, the impact is minimal as this still requires script right to exploit and the only impact is emptying caches, which impacts the performance and therefore availability of the instance. Script right already allows unlimited execution of scripts and thereby a similar impact.
The affected code can be found at https://github.com/xwiki/xwiki-platform/blob/96caad053c14fc5546e9bc141bc284e6112dd48e/xwiki-platform-core/xwiki-platform-lesscss/xwiki-platform-lesscss-script/src/main/java/org/xwiki/lesscss/LessCompilerScriptService.java#L182
Attachments
Issue Links
- is caused by
-
XWIKI-10341 Integrate LESS CSS into XWiki Platform
-
- Closed
-
- links to