Author: ludovic
Date: 2007-09-06 11:16:14 +0200 (Thu, 06 Sep 2007)
New Revision: 4736
Modified:
xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/XWiki.java
xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java
Log:
XWIKI-1741 Security Issue in multiwiki mode
Modified:
xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/XWiki.java
===================================================================
---
xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/XWiki.java
2007-09-06 09:08:24 UTC (rev 4735)
+++
xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/XWiki.java
2007-09-06 09:16:14 UTC (rev 4736)
@@ -532,6 +532,34 @@
+ servername.substring(1);
}
+ public String getWikiOwner(String servername, XWikiContext context) throws
XWikiException
+ {
+ String wikiOwner = context.getWikiOwner();
+
+ if (isVirtual()) {
+ String serverwikipage = getServerWikiPage(servername);
+ String currentdatabase = context.getDatabase();
+
+ try {
+ context.setDatabase(context.getMainXWiki());
+
+ XWikiDocument doc = getDocument(serverwikipage, context);
+
+ if (doc.isNew()) {
+ throw new XWikiException(XWikiException.MODULE_XWIKI,
+ XWikiException.ERROR_XWIKI_DOES_NOT_EXIST,
+ "The wiki " + servername + " does not exist");
+ }
+
+ wikiOwner = doc.getStringValue("XWiki.XWikiServerClass",
"owner");
+ } finally {
+ context.setDatabase(currentdatabase);
+ }
+ }
+
+ return wikiOwner;
+ }
+
public XWiki(XWikiConfig config, XWikiContext context) throws
XWikiException
{
this(config, context, null, false);
Modified:
xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java
===================================================================
---
xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java
2007-09-06 09:08:24 UTC (rev 4735)
+++
xwiki-platform/core/branches/xwiki-core-1.1/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java
2007-09-06 09:16:14 UTC (rev 4736)
@@ -461,7 +461,7 @@
try {
// Verify Wiki Owner
- String wikiOwner = context.getWikiOwner();
+ String wikiOwner = context.getWiki().getWikiOwner(database,
context);
if (wikiOwner != null) {
if (wikiOwner.equals(name)) {
logAllow(name, resourceKey, accessLevel, "admin level from
wiki ownership");
_______________________________________________
notifications mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/notifications
