Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Critical
Fix Version/s: 15.10.14, 16.10.0-rc-1, 16.4.6
Affects Version/s: 1.9 M1
Component/s: REST
Labels:

Difficulty:
Unknown
Documentation:
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-22q5-9phm-744v
Documentation in Release Notes:
N/A
Similar issues:

Description

To reproduce :

Configure a fresh XWiki instance to prevent Guest users from viewing any page
Create a page (ex : TestPage.WebHome) with a couple of sub pages
As a Guest user use this REST API (https://www.xwiki.org/xwiki/bin/view/Documentation/UserGuide/Features/XWikiRESTfulAPI#H2Fwikis2F7BwikiName7D2Fpages5B3Fname3DpaneName26space3DspaceName26author3DauthorName5D) to get the list of pages available in the space (TestPage)

http://localhost:8080/xwiki/rest/wikis/xwiki/pages?space=TestPage

Expected results : The REST API should return an error as the Guest user do not have view rights on the "TestPage" page.

Current results : The REST API returns the list of the pages available in the "TestPage" page. See bellow :

<pages>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/pages/WebPreferences" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.WebPreferences</id>
<fullName>TestPage.WebPreferences</fullName>
<wiki>xwiki</wiki>
<space>TestPage</space>
<name>WebPreferences</name>
<title>Preferences</title>
<parent>WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/TestPage/WebPreferences
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.WebHome</id>
<fullName>TestPage.WebHome</fullName>
<wiki>xwiki</wiki>
<space>TestPage</space>
<name>WebHome</name>
<title>TestPage</title>
<parent>Main.WebHome</parent>
<xwikiRelativeUrl>http://localhost:8080/xwiki/bin/view/TestPage/</xwikiRelativeUrl>
<xwikiAbsoluteUrl>http://localhost:8080/xwiki/bin/view/TestPage/</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/spaces/Page%201/spaces/Sub%20page%201/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.Page 1.Sub page 1.WebHome</id>
<fullName>TestPage.Page 1.Sub page 1.WebHome</fullName>
<wiki>xwiki</wiki>
<space>TestPage.Page 1.Sub page 1</space>
<name>WebHome</name>
<title>Sub page 1</title>
<parent>TestPage.Page 1.WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%201/Sub%20page%201/
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%201/Sub%20page%201/
</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/spaces/Page%201/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.Page 1.WebHome</id>
<fullName>TestPage.Page 1.WebHome</fullName>
<wiki>xwiki</wiki>
<space>TestPage.Page 1</space>
<name>WebHome</name>
<title>Page 1</title>
<parent>TestPage.WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%201/
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%201/
</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/Space5/spaces/TestPage/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:Space5.TestPage.WebHome</id>
<fullName>Space5.TestPage.WebHome</fullName>
<wiki>xwiki</wiki>
<space>Space5.TestPage</space>
<name>WebHome</name>
<title>TestPage</title>
<parent>Main.WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/Space5/TestPage/
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
http://localhost:8080/xwiki/bin/view/Space5/TestPage/
</xwikiAbsoluteUrl>
</pageSummary>
<pageSummary>
<link href="http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/spaces/Page%202/pages/WebHome" rel="http://www.xwiki.org/rel/page"/>
<id>xwiki:TestPage.Page 2.WebHome</id>
<fullName>TestPage.Page 2.WebHome</fullName>
<wiki>xwiki</wiki>
<space>TestPage.Page 2</space>
<name>WebHome</name>
<title>Page 2</title>
<parent>TestPage.WebHome</parent>
<xwikiRelativeUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%202/
</xwikiRelativeUrl>
<xwikiAbsoluteUrl>
http://localhost:8080/xwiki/bin/view/TestPage/Page%202/
</xwikiAbsoluteUrl>
</pageSummary>
</pages>

Note that when using another REST API to get the list of children of the "TestPage" page the REST API returns an error (HTTP Status 401 – Unauthorized).

http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/TestPage/pages/WebHome/children

Attachments

Activity

People

Assignee:: Simon Urli

Reporter:: Mohamed Boussaa

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 04/Nov/24 12:15

Updated:: 19/Mar/25 17:19

Resolved:: 07/Nov/24 15:51

Date of First Response:: 05/Nov/24 1:43 PM