You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Harvey Echain (JIRA)" <ji...@apache.org> on 2018/02/28 11:44:00 UTC
[jira] [Commented] (JSPWIKI-1039) ACLs are not taken into account
when cache is disabled
[ https://issues.apache.org/jira/browse/JSPWIKI-1039?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16380169#comment-16380169 ]
Harvey Echain commented on JSPWIKI-1039:
----------------------------------------
I initially filled it in "security issue, do not disclose publicly" mode.
Then JSPWIKI-1047 was publicly filled by someone else, marked as 'Minor' (I strongly disagree, sensitive information may silently leak because of this), and then presumably fixed in 2.10.3.
But I'm sorry to report that the problem still shows in 2.10.3.
I changed the status to public.
> ACLs are not taken into account when cache is disabled
> ------------------------------------------------------
>
> Key: JSPWIKI-1039
> URL: https://issues.apache.org/jira/browse/JSPWIKI-1039
> Project: JSPWiki
> Issue Type: Bug
> Components: Authentication & Authorization
> Affects Versions: 2.10.2, 2.10.3
> Reporter: Harvey Echain
> Priority: Critical
>
> Just set jspwiki.usePageCache to false, and find out (by accident) that ACLs are not taken into account anymore, leading to a major leak of information from pages that were not supposed to be viewable.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)