Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
8.2, 7.4.5
-
Unit, Integration
-
Unknown
-
N/A
-
Description
When links are modified as part of a refactoring (e.g. a page rename) the document is saved using current author as metadata author. This might lead to privilege escalation and script right execution.
Reproduction steps:
- Create 2 users Foo without script right and Bar with script right
- Login with Foo
- Create a page P1
- Create a page P2 with a MovieClass xobject
- In the "poster" field of the xobject put a link to P1 and a velocity script
- Login with Bar and rename P1 to P3
Expected result:
- P2 gets a new version and its link is refactored, the history shows that Bar performed the refactoring, but the velocity script remain not executed
Obtained result:
- P2 gets a new version and its link is refactored, the history shows that Bar performed the refactoring, but the velocity script is executed
Attachments
Issue Links
- is caused by
-
XWIKI-13401 XWikiGuest is set as author when renaming a page and updating the relative links
-
- Closed
-