Fix ACL check in search_allpages #2609
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Due to the changes in 8f34cf3, the ACL check in search_allpages was only executed when 'skipacl' has been explicitly set to false. Otherwise, only ACLs for namespaces were checked (unless the sneakyacl option was passed). The documentation states that the default for 'skipacl' is false, so setting it to false shouldn't be necessary. From all I can see, this does not concern DokuWiki itself as search_allpages is never used without the 'skipacl' option explicitly set to true or false. However, this causes serious security issues in plugins that rely on this ACL check in search_allpages like the include plugin.
michitux
added a commit
to dokufreaks/plugin-include
that referenced
this pull request
Nov 29, 2018
If you are using the DokuWiki Greebo release and rely on ACL checks in the include plugin, apply this change as soon as possible. Note that this is only an issue with namespace includes, so if you do not use namespace includes and edits are only allowed for users that have access to your whole wiki, this does not concern you (but updating is still recommended). Note that this is a problem caused by a bug in DokuWiki release Greebo. A future hotfix release of DokuWiki might fix this, too, see dokuwiki/dokuwiki#2609 for further information.
|
There are now a few unit tests for the search. Is it doable to add some to cover this? |
|
It would certainly be a good idea to add unit tests to test this and that's definitely possible. It's just that I didn't have the time to do this yesterday and I don't know if I'll have time in the next days to work on this. |
bob-beck
pushed a commit
to openbsd/ports
that referenced
this pull request
Jun 9, 2020
Hotfix 2018-04-22b fix PHP 7.3 compatibility: dokuwiki/dokuwiki#2622 fix ACL check: dokuwiki/dokuwiki#2609 Hotfix 2018-04-22c fix an XSS Vulnerability: dokuwiki/dokuwiki#3044 ok pea@ (MAINTAINER) rsadowski@
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Due to the changes in 8f34cf3 (first included in the Greebo release), the ACL check in search_allpages was only executed when 'skipacl' has been explicitly set to false. Otherwise, only ACLs for namespaces were checked (unless the sneakyacl option was passed). The documentation states that the default for 'skipacl' is false, so setting it to false shouldn't be necessary.
From all I can see, this does not concern DokuWiki itself as search_allpages is never used without the 'skipacl' option explicitly set to true or false. However, this causes serious security issues in plugins that rely on this ACL check in search_allpages like the include plugin (see dokufreaks/plugin-include#229).