security hole?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

security hole?

Matthew Conway
Isn't it a potential security hole for  
com.xpn.xwiki.api.XWiki.searchDocuments(*) to return a list of  
XWikiDocument instead of wrapping them in a Document like the other  
API methods do?

Matt




--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: security hole?

Ludovic Dubost

There is a bug in this API.. I have been notified of that one recently.
We need to fix it

Ludovic

Matthew Conway a écrit :

> Isn't it a potential security hole for
> com.xpn.xwiki.api.XWiki.searchDocuments(*) to return a list of
> XWikiDocument instead of wrapping them in a Document like the other
> API methods do?
>
> Matt
>
>
> ------------------------------------------------------------------------
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>  

--
Ludovic Dubost
XPertNet: http://www.xpertnet.fr/
Blog: http://www.ludovic.org/blog/
XWiki: http://www.xwiki.com
Skype: ldubost AIM: nvludo Yahoo: ludovic




--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: security hole?

Matthew Conway
Its easy enough to fix, but if any view layer depends on the extra  
access, it will break.  Is it ok to break people that are wrongly  
depending on a security hole to get more access?

Something like wrapping the returned lists with a call to wrapDocs  
would work:

     private List wrapDocs(List docs)
     {
         List result = new ArrayList();
         if (docs != null)
         {
             for (Iterator iter = result.iterator(); iter.hasNext();)
             {
                 XWikiDocument doc = (XWikiDocument) iter.next();
                 Document wrappedDoc = new Document(doc, context);
                 result.add(wrappedDoc);
             }
         }
         return result;
     }


Matt

On Feb 24, 2006, at 8:50 PM, Ludovic Dubost wrote:

>
> There is a bug in this API.. I have been notified of that one  
> recently.
> We need to fix it
>
> Ludovic
>
> Matthew Conway a écrit :
>> Isn't it a potential security hole for  
>> com.xpn.xwiki.api.XWiki.searchDocuments(*) to return a list of  
>> XWikiDocument instead of wrapping them in a Document like the  
>> other API methods do?
>>
>> Matt
>>
>>
>> ---------------------------------------------------------------------
>> ---
>>
>>
>> --
>> You receive this message as a subscriber of the xwiki-
>> [hidden email] mailing list.
>> To unsubscribe: mailto:[hidden email]
>> For general help: mailto:[hidden email]?subject=help
>> ObjectWeb mailing lists service home page: http://
>> www.objectweb.org/wws
>>
>
>
> --
> Ludovic Dubost
> XPertNet: http://www.xpertnet.fr/
> Blog: http://www.ludovic.org/blog/
> XWiki: http://www.xwiki.com
> Skype: ldubost AIM: nvludo Yahoo: ludovic
>
>
>
> --
> You receive this message as a subscriber of the xwiki-
> [hidden email] mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/ 
> wws



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: security hole?

jeremi joslin
On 2/25/06, Matthew Conway <[hidden email]> wrote:
> Its easy enough to fix, but if any view layer depends on the extra
> access, it will break.  Is it ok to break people that are wrongly
> depending on a security hole to get more access?

Yes, we will not let a security hole in the api.

Jérémi

--
Blog: http://www.jeremi.info
LinkedIn: https://www.linkedin.com/profile?viewProfile=&key=1437724
Project Manager XWiki: http://www.xwiki.org
skype: jeremi23 -- msn et gtalk : [hidden email]


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: security hole?

Ludovic Dubost
In reply to this post by Matthew Conway

What I find weird, is that I thought I had protected these functions

 *public* List search(String wheresql) *throws* XWikiException {
        *return* xwiki.search(wheresql, context);
    }

    *public* List search(String wheresql, *int* nb, *int* start) *throws* XWikiException {
        *return* xwiki.search(wheresql, nb, start, context);
    }

It should be

 *public* List search(String wheresql) *throws* XWikiException {
      if (checkProgrammingRights())
        *return* xwiki.search(wheresql, context);
      return null;

    }

    *public* List search(String wheresql, *int* nb, *int* start) *throws* XWikiException {
      if (checkProgrammingRights())
        *return* xwiki.search(wheresql, nb, start, context);
      else
        return null
    }

This is annoying and needs to be fixed.

Concerning the searchDocuments function this actually secures documents
from being read by the search function when users are not allowed
However without wrapping them they can be modified in memory which is bad

   *if* (checkRight) {
                    *if* (context.getWiki().getRightService().checkAccess(*"view"*, doc, context)==*false*)
                        *continue*;
                }


I've commited changes for these two issues

Ludovic

Matthew Conway a écrit :

> Its easy enough to fix, but if any view layer depends on the extra
> access, it will break.  Is it ok to break people that are wrongly
> depending on a security hole to get more access?
>
> Something like wrapping the returned lists with a call to wrapDocs
> would work:
>
>     private List wrapDocs(List docs)
>     {
>         List result = new ArrayList();
>         if (docs != null)
>         {
>             for (Iterator iter = result.iterator(); iter.hasNext();)
>             {
>                 XWikiDocument doc = (XWikiDocument) iter.next();
>                 Document wrappedDoc = new Document(doc, context);
>                 result.add(wrappedDoc);
>             }
>         }
>         return result;
>     }
>
>
> Matt
>
> On Feb 24, 2006, at 8:50 PM, Ludovic Dubost wrote:
>
>>
>> There is a bug in this API.. I have been notified of that one recently.
>> We need to fix it
>>
>> Ludovic
>>
>> Matthew Conway a écrit :
>>> Isn't it a potential security hole for
>>> com.xpn.xwiki.api.XWiki.searchDocuments(*) to return a list of
>>> XWikiDocument instead of wrapping them in a Document like the other
>>> API methods do?
>>>
>>> Matt
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>>
>>> --
>>> You receive this message as a subscriber of the
>>> [hidden email] mailing list.
>>> To unsubscribe: mailto:[hidden email]
>>> For general help: mailto:[hidden email]?subject=help
>>> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>>>
>>
>>
>> --Ludovic Dubost
>> XPertNet: http://www.xpertnet.fr/
>> Blog: http://www.ludovic.org/blog/
>> XWiki: http://www.xwiki.com
>> Skype: ldubost AIM: nvludo Yahoo: ludovic
>>
>>
>>
>> --
>> You receive this message as a subscriber of the
>> [hidden email] mailing list.
>> To unsubscribe: mailto:[hidden email]
>> For general help: mailto:[hidden email]?subject=help
>> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>
>
> ------------------------------------------------------------------------
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>  

--
Ludovic Dubost
XPertNet: http://www.xpertnet.fr/
Blog: http://www.ludovic.org/blog/
XWiki: http://www.xwiki.com
Skype: ldubost AIM: nvludo Yahoo: ludovic




--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws