Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-366

Security issue: PreviewAction does not update the Author of the document

    XMLWordPrintable

Details

    • Integration

    Description

      PreviewAction does not update the Author of the doument (and does not set the Creator for new documents). This could create baffling outcomes, but also creates a major security issue.

      Suppose a user with programming rights creates a page that can be edited by normal users. Then, if a user creates a script that requires programming rights, would receive an error if he saves the doument, but will succesfully execute the script if he previes the document without saving.

      Fixing this is trivial, with no side effects, as the document used in the preview action is just a temporary clone of the original document.

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-2490 Preview doesn't work when the document content has script requiring programming rights

          • Major - Major loss of function.
          • Closed

          Activity

            People

              sdumitriu Sergiu Dumitriu
              sdumitriu Sergiu Dumitriu
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: