Item13233: DBCache seems to leek data
Priority: Security
Current State: Closed
Released In: n/a
Target Release: n/a
Extensions,DBCachePlugin seems to leek Data.
What we observe: Is access restricted with intopic ALLOWTOPICVIEW, DBQUERY does only contain results the user has view rights. But, is view restricted per web in WebPreferences, DBQUERY brings back all information it should not.
Honestly, we are a little shocked, but, the problem is reproducible.
- Foswiki Engine: 1.1.5
- DBCachePlugin: 6.0.1 (latest and greatest)
- DBCacheContrib: 4.0.0 (latest and greatest)
Can somebody reproduce this behaviour?
--
AndreLichtsteiner - 27 Jan 2015
Try this hotfix please:
index f8c3b7b..2c4b424 100644
--- a/lib/Foswiki/Plugins/DBCachePlugin/WebDB.pm
+++ b/lib/Foswiki/Plugins/DBCachePlugin/WebDB.pm
@@ -342,7 +342,7 @@ sub dbQuery {
if (
$isAdmin
|| (!$topicHasPerms && $webViewPermission)
- || $this->checkAccessPermission('VIEW', $wikiName, $topicObj) #Foswiki::Func::checkAccessPermission('VIEW', $wikiName, undef, $topicName, $this->{web}))
+ || ($topicHasPerms && $this->checkAccessPermission('VIEW', $wikiName, $topicObj)) #Foswiki::Func::checkAccessPermission('VIEW', $wikiName, undef, $topicName, $this->{web}))
)
{
--
MichaelDaum - 27 Jan 2015
Yeah, this changes back to the expected behaviour.
--
AndreLichtsteiner - 28 Jan 2015