From 6fc3aa1afd3b25c8ada5bd8245997e0fa3a8cdee Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Mon, 16 Nov 2009 23:05:23 +0100
Subject: [PATCH] Security Fix: do not allow skipacl in XMLRPC

Ignore-this: 517a7546aab86c5370cccf1aa2171490

Parameters passed to dokuwiki.getPagelist and wiki.getAttachments could
contain the option "skipacl" which would prevent ACL checking. This
could leak information about usually non-readable files (like filenames,
sizes and so on). The content of the files was not accessible.

XMLRPC is disabled by default.

darcs-hash:20091116220523-7ad00-0fa8a9a7a52076619c6836738f9a1f00a6dafe27.gz
---
 lib/exe/xmlrpc.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php
index 61a7e4de6..9b440c9f5 100644
--- a/lib/exe/xmlrpc.php
+++ b/lib/exe/xmlrpc.php
@@ -379,6 +379,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
         $dir = utf8_encodeFN(str_replace(':', '/', $ns));
         $data = array();
         require_once(DOKU_INC.'inc/search.php');
+        $opts['skipacl'] = 0; // no ACL skipping for XMLRPC
         search($data, $conf['datadir'], 'search_allpages', $opts, $dir);
         return $data;
     }
@@ -398,8 +399,8 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
 
         $ns = cleanID($ns);
 
-        if (!is_array($options))
-            $options = array();
+        if (!is_array($options)) $options = array();
+        $options['skipacl'] = 0; // no ACL skipping for XMLRPC
 
 
         if(auth_quickaclcheck($ns.':*') >= AUTH_READ) {
-- 
GitLab