Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
2.2.2
-
High
-
Very hard
-
Description
While an included document with #includeInContext() keeps its own ProgrammingRights, an included document with
{{include context=default}}
will receive the programming rights of the context document.
On the other hands, in boths case, other access rights are those of the context user, something we talk about in XWIKI-5024.
Compare to syntax 1.0, which has tighly linked the PR to the real author of the script (appart from special case that should be handled by XWIKI-2110 and XWIKI-1002), the new syntax has change this behavior and may provide PR to author that do not have PR.
Update from July 2022 with reproduction steps to show the impact:
Steps to Reproduce (example)
- Login as a user with edit but not script or programming rights.
- Edit Menu.MenuTemplate (confirm editing the extension's document), go to the source view of the content and insert
{{groovy}}println("Hello from Groovy!"){{/groovy}}in some menu item.
- Click "Save & View"
- Open Menu.MenuMacro.
Expected Result
An error is displayed that the Groovy macro isn't allowed.
Actual Result
The text Hello from Groovy! is displayed as part of the menu.
This demonstrates how this can be exploited to obtain programming rights from (default) edit rights using documents bundled with XWiki that have programming rights by default.
Attachments
Issue Links
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
XWIKI-20471 Allow forcing executing an included document with its own author
-
- Closed
-
-
XWIKI-7879 Refactor to confine delegation of programming rights.
-
- In Progress
-