Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-9069

Private document name leak in document index

    XMLWordPrintable

    Details

    • keywords:
      security, access rights
    • Development Priority:
      Low
    • Difficulty:
      Hard
    • Documentation:
      N/A
    • Documentation in Release Notes:
      N/A
    • Similar issues:

      Description

      The AllDocs page expose the names of all pages (including confidential pages) to all users (including unregistered users).

      XWiki should check that the current user has the "view" right for the returned pages.

      As a temporary workaround the AllDocs page should have the "view" right restricted to the XWikiAllGroup.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mleduc Manuel Leduc
              Reporter:
              dirk@computer42.org H.-Dirk Schmitt
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response: