Hi Moritz, Moritz Muehlenhoff wrote: > Severity: grave
Thanks for the severity assessment by the security team. I wasn't really sure if this is RC or "just important". I've had a look at the new upstream tar balls, but the diff is unfortunately huge: $ tardiff dokuwiki-2022-07-31{a,b}.tgz - composer.json - composer.lock - data/pages/playground - data/pages/playground/playground.txt - lib/plugins/authpdo/_test - lib/plugins/authpdo/_test/mysql - lib/plugins/authpdo/_test/mysql.test.php - lib/plugins/authpdo/_test/mysql/fluxbb.php - lib/plugins/authpdo/_test/mysql/fluxbb.sql - lib/plugins/authpdo/_test/mysql/mybb.php - lib/plugins/authpdo/_test/mysql/mybb.sql - lib/plugins/authpdo/_test/mysql/wordpress.php - lib/plugins/authpdo/_test/mysql/wordpress.sql - lib/plugins/authpdo/_test/pgsql - lib/plugins/authpdo/_test/pgsql.test.php - lib/plugins/authpdo/_test/pgsql/django.php - lib/plugins/authpdo/_test/pgsql/django.sql - lib/plugins/authpdo/_test/sqlite.test.php - lib/plugins/authpdo/_test/test.sqlite3 - lib/plugins/authplain/_test - lib/plugins/authplain/_test/conf - lib/plugins/authplain/_test/conf/auth.users.php - lib/plugins/authplain/_test/escaping.test.php - lib/plugins/authplain/_test/userdata.test.php - lib/plugins/config/_test - lib/plugins/config/_test/ConfigParserTest.php - lib/plugins/config/_test/DocumentationTest.php - lib/plugins/config/_test/LoaderExtraDefaultsTest.php - lib/plugins/config/_test/LoaderTest.php - lib/plugins/config/_test/Setting - lib/plugins/config/_test/Setting/AbstractSettingTest.php - lib/plugins/config/_test/Setting/SettingArrayTest.php - lib/plugins/config/_test/Setting/SettingNumericTest.php - lib/plugins/config/_test/Setting/SettingNumericoptTest.php - lib/plugins/config/_test/Setting/SettingOnoffTest.php - lib/plugins/config/_test/Setting/SettingStringTest.php - lib/plugins/config/_test/Setting/SettingTest.php - lib/plugins/config/_test/WriterTest.php - lib/plugins/config/_test/data - lib/plugins/config/_test/data/config.php - lib/plugins/config/_test/data/metadata.php - lib/plugins/extension/_test - lib/plugins/extension/_test/extension.test.php - lib/plugins/extension/_test/testdata - lib/plugins/extension/_test/testdata/either1 - lib/plugins/extension/_test/testdata/either1/script.js - lib/plugins/extension/_test/testdata/eithersub2 - lib/plugins/extension/_test/testdata/eithersub2/either2 - lib/plugins/extension/_test/testdata/eithersub2/either2/script.js - lib/plugins/extension/_test/testdata/plgfoo5 - lib/plugins/extension/_test/testdata/plgfoo5/plugin.info.txt - lib/plugins/extension/_test/testdata/plgsub3 - lib/plugins/extension/_test/testdata/plgsub3/plugin3 - lib/plugins/extension/_test/testdata/plgsub3/plugin3/syntax.php - lib/plugins/extension/_test/testdata/plgsub4 - lib/plugins/extension/_test/testdata/plgsub4/plugin4 - lib/plugins/extension/_test/testdata/plgsub4/plugin4/plugin.info.txt - lib/plugins/extension/_test/testdata/plgsub6 - lib/plugins/extension/_test/testdata/plgsub6/plgfoo6 - lib/plugins/extension/_test/testdata/plgsub6/plgfoo6/plugin.info.txt - lib/plugins/extension/_test/testdata/plugin1 - lib/plugins/extension/_test/testdata/plugin1/syntax.php - lib/plugins/extension/_test/testdata/plugin2 - lib/plugins/extension/_test/testdata/plugin2/plugin.info.txt - lib/plugins/extension/_test/testdata/template1 - lib/plugins/extension/_test/testdata/template1/main.php - lib/plugins/extension/_test/testdata/template1/style.ini - lib/plugins/extension/_test/testdata/template2 - lib/plugins/extension/_test/testdata/template2/template.info.txt - lib/plugins/extension/_test/testdata/tplfoo5 - lib/plugins/extension/_test/testdata/tplfoo5/template.info.txt - lib/plugins/extension/_test/testdata/tplsub3 - lib/plugins/extension/_test/testdata/tplsub3/template3 - lib/plugins/extension/_test/testdata/tplsub3/template3/main.php - lib/plugins/extension/_test/testdata/tplsub3/template3/style.ini - lib/plugins/extension/_test/testdata/tplsub4 - lib/plugins/extension/_test/testdata/tplsub4/template4 - lib/plugins/extension/_test/testdata/tplsub4/template4/template.info.txt - lib/plugins/extension/_test/testdata/tplsub6 - lib/plugins/extension/_test/testdata/tplsub6/tplfoo6 - lib/plugins/extension/_test/testdata/tplsub6/tplfoo6/template.info.txt - lib/plugins/styling/.travis.yml - lib/plugins/styling/_test - lib/plugins/styling/_test/colors.test.php - lib/plugins/styling/_test/general.test.php - lib/plugins/testing - lib/plugins/testing/_test - lib/plugins/testing/_test/dummy_plugin_integration_test.test.php - lib/plugins/testing/_test/dummy_plugin_test.test.php - lib/plugins/testing/action.php - lib/plugins/testing/conf - lib/plugins/testing/conf/default.php - lib/plugins/testing/conf/metadata.php - lib/plugins/testing/lang - lib/plugins/testing/lang/en - lib/plugins/testing/lang/en/settings.php - lib/plugins/testing/plugin.info.txt - lib/plugins/usermanager/_test - lib/plugins/usermanager/_test/csv_export.test.php - lib/plugins/usermanager/_test/csv_import.test.php - lib/plugins/usermanager/_test/mocks.class.php - vendor/aziraphale/email-address-validator/.gitignore - vendor/aziraphale/email-address-validator/composer.json - vendor/geshi/geshi/.editorconfig - vendor/geshi/geshi/.gitignore - vendor/geshi/geshi/composer.json - vendor/kissifrot/php-ixr/.editorconfig - vendor/kissifrot/php-ixr/.gitignore - vendor/kissifrot/php-ixr/composer.json - vendor/marcusschwarz/lesserphp/.gitignore - vendor/marcusschwarz/lesserphp/composer.json - vendor/openpsa/universalfeedcreator/.editorconfig - vendor/openpsa/universalfeedcreator/.gitattributes - vendor/openpsa/universalfeedcreator/.gitignore - vendor/openpsa/universalfeedcreator/composer.json - vendor/phpseclib/phpseclib/appveyor.yml - vendor/phpseclib/phpseclib/composer.json - vendor/simplepie/simplepie/composer.json - vendor/splitbrain/php-archive/.gitignore - vendor/splitbrain/php-archive/composer.json - vendor/splitbrain/php-cli/.gitignore - vendor/splitbrain/php-cli/composer.json - vendor/splitbrain/slika/.gitattributes - vendor/splitbrain/slika/.gitignore - vendor/splitbrain/slika/composer.json - vendor/splitbrain/slika/composer.lock 🙄 So I'll likely just add the patch. I assume the release team is happier that way, too. P.S.: > https://huntr.dev/bounties/c6119106-1a5c-464c-94dd-ee7c5d0bece0/ Do you know if this content behind this link will become public at some time? Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE