Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-366

Security issue: PreviewAction does not update the Author of the document

    Details

    • Tests:
      Integration
    • Similar issues:

      Description

      PreviewAction does not update the Author of the doument (and does not set the Creator for new documents). This could create baffling outcomes, but also creates a major security issue.

      Suppose a user with programming rights creates a page that can be edited by normal users. Then, if a user creates a script that requires programming rights, would receive an error if he saves the doument, but will succesfully execute the script if he previes the document without saving.

      Fixing this is trivial, with no side effects, as the document used in the preview action is just a temporary clone of the original document.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sdumitriu Sergiu Dumitriu
                Reporter:
                sdumitriu Sergiu Dumitriu
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: