Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-41179

Anonymous requests to a public wiki can trigger creation of subspace default pages

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: RESOLVED
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 12.5, 19.0
    • Fix Version/s: 19.1, 20.0 [Tentative]
    • Component/s: Rwiki
    • Labels:
      None
    • 19 status:
      Resolved
    • 12 status:
      Please Merge
    • Test Plan:
      Hide

      Create a site with the wiki tool
      Add .anon role to the site (which should not have wiki create permission)
      Visit the site while not logged in, with rwiki.read permission but not rwiki.create
      Click on any existing wiki page
      In the browser address bar, adjust the pageName parameter in the URL

      e.g. from

      pageName=%2Fsite%2F996b25c5-9d5f-4dba-9c7a-507e4862c578%2Findex

      to

      pageName=%2Fsite%2F996b25c5-9d5f-4dba-9c7a-507e4862c578%2Fsubspace%2Fsubpage

      Should receive "permission denied" page.

      Log in as an authenticated user with rights to edit the wiki, add the macro

      {recent-changes}

      to the wiki home page, and verify that new subspace pages were not created.

      Repeat the above while logged in, and verify that new subspace pages were created.

      Show
      Create a site with the wiki tool Add .anon role to the site (which should not have wiki create permission) Visit the site while not logged in, with rwiki.read permission but not rwiki.create Click on any existing wiki page In the browser address bar, adjust the pageName parameter in the URL e.g. from pageName=%2Fsite%2F996b25c5-9d5f-4dba-9c7a-507e4862c578%2Findex to pageName=%2Fsite%2F996b25c5-9d5f-4dba-9c7a-507e4862c578%2Fsubspace%2Fsubpage Should receive "permission denied" page. Log in as an authenticated user with rights to edit the wiki, add the macro {recent-changes} to the wiki home page, and verify that new subspace pages were not created. Repeat the above while logged in, and verify that new subspace pages were created.

      Description

      In the case where a site has the .anon role with site.visit and wiki read permission, an anonymous user accessing the wiki can cause the creation of default subspace pages by manipulating the pageName parameter, even though the anonymous user does not have create permission in the wiki.

      Subspace pages are pages like /site/SITEID/subspacename/anotherpage

      where everything under "subspacename" has its own set of default pages from the templates like index, edit_right, etc.

      Some scripts probe for vulnerabilities by manipulating parameter values of public URLs, so this can cause a set of unwanted pages to be created from the templates. A wiki.new event is posted for each template page.

      The call stack here is:

      at com.sun.proxy.$Proxy131.update(null:-1)
      at uk.ac.cam.caret.sakai.rwiki.tool.service.impl.PopulateServiceImpl.populateRealm(PopulateServiceImpl.java:180)
      at uk.ac.cam.caret.sakai.rwiki.tool.bean.PrePopulateBean.doPrepopulate(PrePopulateBean.java:54)
      at uk.ac.cam.caret.sakai.rwiki.tool.RWikiServlet.prePopulateRealm(RWikiServlet.java:202)
      at uk.ac.cam.caret.sakai.rwiki.tool.RWikiServlet.execute(RWikiServlet.java:163)
      at uk.ac.cam.caret.sakai.rwiki.tool.RWikiServlet.doGet(RWikiServlet.java:118)
      

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                smarquard Stephen Marquard
                Reporter:
                smarquard Stephen Marquard
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Git Source Code