Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-8771

removing a comment switches programming rights



    • Bug
    • Resolution: Duplicate
    • Major
    • None
    • 4.1.2
    • Groovy, Security
    • None
    • Unknown


      Let's say you have a xwiki page authored by P, who has programming rights, and which contains some groovy scripts. Everything is working as expected, scripts are executed.

      Then comes L a lambda user who has a "comment" right. He adds a comment to the page. Everything is still prefect and runs well. History show last author of page is P. However, it now states that L was last modifier.

      Now, L deletes his comment for whatever reason (using the nice cross). Now, scripts are not executed anymore on the page. L is now assumed to be the author of document. All scripts launch security exceptions

      org.xwiki.rendering.macro.MacroExecutionException: You don't have the right to execute this script
      at org.xwiki.rendering.macro.script.AbstractScriptMacro.execute(AbstractScriptMacro.java:194)
      at org.xwiki.rendering.macro.script.AbstractScriptMacro.execute(AbstractScriptMacro.java:59) 

      And page history show that L is clearly responsible because last entry is

      Version 	Editor 	Date 	Summary
      8.7 	Lambda  	2013/01/31 17:59 	Deleted object

      Now, that might have consequences.

      Imagine the opposite. I am a simple editor, and i make a very bad-ass script in groovy. I hide it somewhere in a very long page, and probably nest it in a hidden block so nobody see the error message.
      Then i trick someone with programming rights into removing a bad comment from a user X. Xwiki now assume that this programmer is the author of the page and grants the programming rights on page. My badass script is now running on server. Nowhere did the programmer assume he will allow and run a server script by just removing a comment.


        Issue Links



              enygma Eduard Moraru
              tchize David Delbecq
              0 Vote for this issue
              4 Start watching this issue