Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-7903

PR leak in Document#save() when current user has PR

    XMLWordPrintable

Details

    • Low
    • Hard

    Description

      By default api.Document#save set current user as author. Problem with that is that you can write a script which put whatever you want in the content and just wait for any user with PR to view it.

      {{velocity}}
      #set($unsafedocument = $xwiki.getDocument('Space.UnsafeDocument'))
      $unsafedocument.setContent('{{groovy}}println "Thanks $xcontext.user"{{/groovy}}')
      $unsafedocument.save()
      {{/velocity}}
      

      This is not very complex, we even do that all the time (without putting PR content of course but still) without thinking too much about it.

      Attachments

        Issue Links

          Activity

            People

              tmortagne Thomas Mortagne
              tmortagne Thomas Mortagne
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: