You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by Harry Metske <ha...@gmail.com> on 2009/02/16 18:26:33 UTC
JSPWIKI-502 : security issue or not ?
Devs, especially Andrew,
I would like your opinion on
https://issues.apache.org/jira/browse/JSPWIKI-502
When (Lucene)searching the wiki should we tell you that a page contains the
search word while you are not authorized to view the page ?
regards,
Harry
Re: JSPWIKI-502 : security issue or not ?
Posted by Andrew Jaquith <an...@gmail.com>.
I was planning on re-working Search.jsp soon anyway, so I might be
able to do this. Not sure, though...
On Feb 16, 2009, at 15:57, Janne Jalkanen <ja...@ecyrd.com>
wrote:
>> But what I meant with my call is asking what people think of the
>> two options
>> that might be acceptable:
>> - providing a jspwiki property to allow the functionality (and the
>> default
>> should be off)
>> - providing my second suggestion to only tell that there are pages
>> containing the search words
>
> I think either is fine. But the question is - anybody want to do
> this, or do we have anything more urgent or interesting in the
> backlog?
>
> /Janne
Re: JSPWIKI-502 : security issue or not ?
Posted by Janne Jalkanen <ja...@ecyrd.com>.
> But what I meant with my call is asking what people think of the two
> options
> that might be acceptable:
> - providing a jspwiki property to allow the functionality (and the
> default
> should be off)
> - providing my second suggestion to only tell that there are pages
> containing the search words
I think either is fine. But the question is - anybody want to do
this, or do we have anything more urgent or interesting in the backlog?
/Janne
Re: JSPWIKI-502 : security issue or not ?
Posted by Harry Metske <ha...@gmail.com>.
Yes , I agree, and we can't ignore what people have requested then.
Simply implementing what the initial request in JSPWIKI-502 was, is not an
option.
But what I meant with my call is asking what people think of the two options
that might be acceptable:
- providing a jspwiki property to allow the functionality (and the default
should be off)
- providing my second suggestion to only tell that there are pages
containing the search words
I'm not trying to promote anything, I don't have a strong preference for
either option.
regards,
Harry
2009/2/16 Janne Jalkanen <ja...@ecyrd.com>
>
> As I mentioned, this is something which was discussed many years ago. So I
> do believe that this is a security issue to quite a few people. ATM we have
> a single request for this feature; but the note below suggests that many
> people consider this functionality to be a problem.
>
>
> 2006-05-06 Janne Jalkanen <ja...@ecyrd.com>
>
> * 2.4.4
>
> <snip>
>
> * Added search results filtering based on permissions,
> i.e. you no longer see pages to which you have no
> access to. Requested by many people.
>
>
> On 16 Feb 2009, at 19:26, Harry Metske wrote:
>
> Devs, especially Andrew,
>>
>> I would like your opinion on
>> https://issues.apache.org/jira/browse/JSPWIKI-502
>>
>> When (Lucene)searching the wiki should we tell you that a page contains
>> the
>> search word while you are not authorized to view the page ?
>>
>> regards,
>> Harry
>>
>
>
Re: JSPWIKI-502 : security issue or not ?
Posted by Janne Jalkanen <ja...@ecyrd.com>.
As I mentioned, this is something which was discussed many years ago.
So I do believe that this is a security issue to quite a few people.
ATM we have a single request for this feature; but the note below
suggests that many people consider this functionality to be a problem.
2006-05-06 Janne Jalkanen <ja...@ecyrd.com>
* 2.4.4
<snip>
* Added search results filtering based on permissions,
i.e. you no longer see pages to which you have no
access to. Requested by many people.
On 16 Feb 2009, at 19:26, Harry Metske wrote:
> Devs, especially Andrew,
>
> I would like your opinion on
> https://issues.apache.org/jira/browse/JSPWIKI-502
>
> When (Lucene)searching the wiki should we tell you that a page
> contains the
> search word while you are not authorized to view the page ?
>
> regards,
> Harry