Hi Henning,
I think your remark is spot on. I'll check with Sergiu whether this should
be removed (it's quite an easy modification to do).
Actually, right now you can change it by editing the page and
replacing "<tt>${userEmail}</tt>" with "your email address":
67: #if($mailResult == 0)
68: #info("An e-mail was sent to <tt>${userEmail}</tt>. Please follow the
instructions in that e-mail to complete the password reset procedure.")
69: #else
Thanks for the hint,
Guillaume
On Mon, Feb 23, 2009 at 12:20 PM, Henning Sprang
<[email protected]>wrote:
> On Mon, Feb 23, 2009 at 2:08 AM, Niels Mayer <[email protected]> wrote:
> > In XWiki 1.8RC1, this "security issue" doesn't seem to be the case by
> > default.
>
> I'll check that.
>
> I realized I wrote a mistake in the first sentence. I didn't see the
> problem of code being shown or something like that, but when I call
> the resetPassword function,
> the system show the _Email_ address of the username for whom I call
> the resetpassword.
>
> And because anybody can call this function for any user, as well as,
> in the default setting, and for password reset and other things to
> work properly, the pages that show all usernames are viewable by
> unregistered users, people can harvest email addresses from all users
> on the wiki.
>
> But yes, The code viewing and execution stuff is interesting for other
> threads I started these days and for the general idea that I usuall
> don't like to make the whole XWiki space viewable by unregistered
> users.
>
> Henning
> _______________________________________________
> devs mailing list
> [email protected]
> http://lists.xwiki.org/mailman/listinfo/devs
>
--
Guillaume Lerouge
Product Manager - XWiki
Skype ID : wikibc
http://guillaumelerouge.com/
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs
