• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item3671: PublishContrib is insecure

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Extension PublishContrib Urgent Closed   n/a  

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

The publish cgi script does not check any authorization. So if you are running a site using TemplateLogin just anybody can initiate a publish step ... including all its file level access. On top, the publish does not use a tainted flag. And if you enable it, it fails, probably for good reasons.

-- TWiki:Main/MichaelDaum - 21 Feb 2007

Done. Access to the history topic is now required.

CC

ItemTemplate
Summary PublishContrib is insecure
ReportedBy TWiki:Main.MichaelDaum
Codebase

SVN Range TWiki-4.1.1, Tue, 20 Feb 2007, build 12932
AppliesTo Extension
Component PublishContrib
Priority Urgent
CurrentState Closed
WaitingFor

Checkins 12961
TargetRelease n/a
ReleasedIn

Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r2 - 2007-02-22 - CrawfordCurrie
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback