You are here: Foswiki>Tasks Web>Item13233 (16 Feb 2015, MichaelDaum)Edit Attach

Item13233: DBCache seems to leek data

Priority: Security
Current State: Closed
Released In: n/a
Target Release: n/a

Applies To: Extension
Component: DBCacheContrib
Branches:

Reported By: AndreLichtsteiner
Waiting For:
Last Change By: MichaelDaum

Extensions,DBCachePlugin seems to leek Data.

What we observe: Is access restricted with intopic ALLOWTOPICVIEW, DBQUERY does only contain results the user has view rights. But, is view restricted per web in WebPreferences, DBQUERY brings back all information it should not.

Honestly, we are a little shocked, but, the problem is reproducible.

Foswiki Engine: 1.1.5
DBCachePlugin: 6.0.1 (latest and greatest)
DBCacheContrib: 4.0.0 (latest and greatest)

Can somebody reproduce this behaviour?

-- AndreLichtsteiner - 27 Jan 2015

Try this hotfix please:

index f8c3b7b..2c4b424 100644
--- a/lib/Foswiki/Plugins/DBCachePlugin/WebDB.pm
+++ b/lib/Foswiki/Plugins/DBCachePlugin/WebDB.pm
@@ -342,7 +342,7 @@ sub dbQuery {
       if (
         $isAdmin 
         || (!$topicHasPerms && $webViewPermission)
-        || $this->checkAccessPermission('VIEW', $wikiName, $topicObj) #Foswiki::Func::checkAccessPermission('VIEW', $wikiName, undef, $topicName, $this->{web}))
+        || ($topicHasPerms && $this->checkAccessPermission('VIEW', $wikiName, $topicObj)) #Foswiki::Func::checkAccessPermission('VIEW', $wikiName, undef, $topicName, $this->{web}))
         ) 
       {

-- MichaelDaum - 27 Jan 2015

Yeah, this changes back to the expected behaviour.

-- AndreLichtsteiner - 28 Jan 2015

ItemTemplate edit

Summary	DBCache seems to leek data
ReportedBy	AndreLichtsteiner
Codebase
SVN Range
AppliesTo	Extension
Component	DBCacheContrib
Priority	Security
CurrentState	Closed
WaitingFor
Checkins
TargetRelease	n/a
ReleasedIn	n/a
CheckinsOnBranches
trunkCheckins
masterCheckins
ItemBranchCheckins
Release01x01Checkins