Details
-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
2.6, 2.7.1
-
Tomcat 6.0.18
Java 1.6.0_10
-
recyclebin permissions subverted
-
Unknown
-
N/A
-
N/A
-
Description
An arbitrary string can be used to view documents in the recycle bin for which the user has no permission to view.
Create a space and doc. Create a group with a user. Restrict view/editing/deleting of the space to the group. Permissions work as expected and users not in the group cannot view/edit/delete.
Now delete the page to the recycle bin. The page will be accessible even to the guest user at a URL like;
http://<server>:<port>/<context>/bin/view/<arbitrary_string>/<actual_page_name>?viewer=recyclbin&id=<id>
If <arbitrary_string> is the correct space name, the permissions work, but if it is anything other than the correct space, any user can view the page.
Of course, a malicious user would have to guess the page name and recycle bin id parameter, but even so it's a bug.
I've only tested on 2.7.1 and 2.6. Others may be affected.
Attachments
Issue Links
- duplicates
-
-
- Closed
-