Security Fix: do not allow skipacl in XMLRPC

Ignore-this: 517a7546aab86c5370cccf1aa2171490

Parameters passed to dokuwiki.getPagelist and wiki.getAttachments could
contain the option "skipacl" which would prevent ACL checking. This
could leak information about usually non-readable files (like filenames,
sizes and so on). The content of the files was not accessible.

XMLRPC is disabled by default.

darcs-hash:20091116220523-7ad00-0fa8a9a7a52076619c6836738f9a1f00a6dafe27.gz

lib/exe/xmlrpc.php

@@ -379,6 +379,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
         $dir = utf8_encodeFN(str_replace(':', '/', $ns));
         $data = array();
         require_once(DOKU_INC.'inc/search.php');
+        $opts['skipacl'] = 0; // no ACL skipping for XMLRPC
         search($data, $conf['datadir'], 'search_allpages', $opts, $dir);
         return $data;
     }
@@ -398,8 +399,8 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
 
         $ns = cleanID($ns);
 
-        if (!is_array($options))
-            $options = array();
+        if (!is_array($options)) $options = array();
+        $options['skipacl'] = 0; // no ACL skipping for XMLRPC
 
 
         if(auth_quickaclcheck($ns.':*') >= AUTH_READ) {