You are here: Foswiki>Tasks Web>Item42 (22 Feb 2009, KennethLavrsen)Edit Attach

Item42: SECURITY: REVINFO reveals info for a topic the user does not have permission to view.

Priority: Urgent
Current State: Closed
Released In: 1.0.0
Target Release: patch
Applies To: Engine
Component:
Branches:
Reported By: SvenDowideit
Waiting For:
Last Change By: KennethLavrsen
-- SvenDowideit - 01 Nov 2008

REVINFO allowed recovery of revision information for a topic where the reader did not have view access. Note there is an argument that the viewer should at least be able to see who made the edit. in the end I decided not to bother trying to suport that, though.

Added a check, unit tested.

-- CrawfordCurrie - 01 Dec 2008

ItemTemplate edit

Summary SECURITY: REVINFO reveals info for a topic the user does not have permission to view.
ReportedBy SvenDowideit
Codebase
SVN Range TWiki-4.2.3, Wed, 06 Aug 2008, build 17396
AppliesTo Engine
Component
Priority Urgent
CurrentState Closed
WaitingFor
Checkins distro:3a3db7dc60a0
TargetRelease patch
ReleasedIn 1.0.0
Topic revision: r6 - 22 Feb 2009, KennethLavrsen - This page was cached on 03 Aug 2015 - 13:18. Get a fresh version here.
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License