On Mon, May 13, 2013 at 6:24 PM, Sergiu Dumitriu <[email protected]> wrote:
> On 05/13/2013 12:13 PM, Thomas Delafosse wrote: > > I think it's more secure to let it be used only on the current user > profile > > page. Otherwise we can imagine an attacker creating a page where this > check > > is performed against the current user, enabling him to gain information > > about the users visiting this page. > > (For example he could do something like > > #foreach($passwd in $passwdList) > > #if($xwiki.getUser().checkPassword($passwd)) > > Store this information somewhere (in another doc, in an object, or > > even by sending me a mail) > > #end > > #end) > > This can still be done "apparently" in the context of the profile > document using, for example, something like XWIKI-8885. This is just > another inefficient hoop through which we force motivated attackers to > go through, but which doesn't fix the security issue. > You are right, there is currently ways to workaround this check. But I hope that with Andreas' branch it would be harder to find such leaks, and anyway it makes this attack available only to attackers having found these leaks. Even if this is not perfect, I feel more comfortable this way. > > On the other hand, it restricts its usage to just one specific purpose, > that of changing the password, when it could serve other useful (future) > scenarios, like confirming some dangerous changes (signing a script, > installing a XAR as backup package, permanently emptying the trash bins). > I agree, it could be useful to check the password at some other points. So what we could do is allow public check only from the user's profile page, and PR check from any page. The issue with the change of password is that the template doesn't have PR, but I guess that in the scenarios you mention, this would be done from a normal wiki page, and thus we could ask this page to have PR. What do you think ? > > > And I don't think that users with PR need to be able to make this check > on > > any user (and if they need they can still perform it through the core), > so > > I prefer to keep it this way. > > Agreed. > > > Cheers, > > > > Thomas > > > > > > On Mon, May 13, 2013 at 5:42 PM, Sergiu Dumitriu <[email protected]> > wrote: > > > >> On 05/06/2013 09:44 AM, Thomas Delafosse wrote: > >>> Hi all, > >>> > >>> After discussing it with Vincent, it seems that it would be better > to > >>> be able to access this method without PR : thus we could keep the code > >> for > >>> changing the password in passwd.vm instead of having to make a new page > >>> with PR for that. To avoid malicious users to use it nonetheless, I > >> propose > >>> that this method could only be used to check the current user password, > >> and > >>> only on its profile page. > >>> Does this seems OK to you, or do you think this should be done another > >> way ? > >> > >> Why only on the user's profile page? > >> > >> The method could allow public check only for the current user, and PR > >> check for any user. > > > -- > Sergiu Dumitriu > http://purl.org/net/sergiu > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
