[
http://jira.xwiki.org/jira/browse/XWIKI-1883?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vincent Massol updated XWIKI-1883:
----------------------------------
Description:
A patch was recently introduced to fix a security issue
(http://jira.xwiki.org/jira/browse/XWIKI-1832 - it's marked confidential so you
won't be able to see it probably).
However it fails in some cases apparently.
The issue is that the XWikiContext is created for each XMLRPC request and the
current doc isn't set inside it and some parts of the rights checking code
checks for the user.
{noformat}
Caused by:
java.lang.StringIndexOutOfBoundsException: String index out of range: -1
at java.lang.String.substring(String.java:1938)
at com.xpn.xwiki.util.Util.getWeb(Util.java:200)
at
com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.isSuperUser(XWikiRightServiceImpl.java:700)
at
com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.hasAccessLevel(XWikiRightServiceImpl.java:494)
at
com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.hasAccessLevel(XWikiRightServiceImpl.java:231)
at
com.xpn.xwiki.xmlrpc.DomainObjectFactory.checkRights(DomainObjectFactory.java:119)
at
com.xpn.xwiki.xmlrpc.DomainObjectFactory.getDocFromPageId(DomainObjectFactory.java:89)
at
com.xpn.xwiki.xmlrpc.ConfluenceRpcHandler.renderContent(ConfluenceRpcHandler.java:682)
{noformat}
was:
A patch was recently introduced to fix a security issue
(http://jira.xwiki.org/jira/browse/XWIKI-1832 - it's marked confidential so you
won't be able to see it probably).
However it fails in some cases apparently.
The issue is that the XWikiContext is created for each XMLRPC request and the
user isn't set inside it and some parts of the rights checking code checks for
the user.
{noformat}
Caused by:
java.lang.StringIndexOutOfBoundsException: String index out of range: -1
at java.lang.String.substring(String.java:1938)
at com.xpn.xwiki.util.Util.getWeb(Util.java:200)
at
com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.isSuperUser(XWikiRightServiceImpl.java:700)
at
com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.hasAccessLevel(XWikiRightServiceImpl.java:494)
at
com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.hasAccessLevel(XWikiRightServiceImpl.java:231)
at
com.xpn.xwiki.xmlrpc.DomainObjectFactory.checkRights(DomainObjectFactory.java:119)
at
com.xpn.xwiki.xmlrpc.DomainObjectFactory.getDocFromPageId(DomainObjectFactory.java:89)
at
com.xpn.xwiki.xmlrpc.ConfluenceRpcHandler.renderContent(ConfluenceRpcHandler.java:682)
{noformat}
Reverting the patch for now.
> XMLRPC isn't working anymore
> ----------------------------
>
> Key: XWIKI-1883
> URL: http://jira.xwiki.org/jira/browse/XWIKI-1883
> Project: XWiki Platform
> Issue Type: Bug
> Components: Web Services
> Affects Versions: 1.2 M2
> Reporter: Vincent Massol
> Assigned To: Vincent Massol
> Priority: Critical
> Fix For: 1.2 RC1
>
>
> A patch was recently introduced to fix a security issue
> (http://jira.xwiki.org/jira/browse/XWIKI-1832 - it's marked confidential so
> you won't be able to see it probably).
> However it fails in some cases apparently.
> The issue is that the XWikiContext is created for each XMLRPC request and the
> current doc isn't set inside it and some parts of the rights checking code
> checks for the user.
> {noformat}
> Caused by:
> java.lang.StringIndexOutOfBoundsException: String index out of range: -1
> at java.lang.String.substring(String.java:1938)
> at com.xpn.xwiki.util.Util.getWeb(Util.java:200)
> at
> com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.isSuperUser(XWikiRightServiceImpl.java:700)
> at
> com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.hasAccessLevel(XWikiRightServiceImpl.java:494)
> at
> com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.hasAccessLevel(XWikiRightServiceImpl.java:231)
> at
> com.xpn.xwiki.xmlrpc.DomainObjectFactory.checkRights(DomainObjectFactory.java:119)
> at
> com.xpn.xwiki.xmlrpc.DomainObjectFactory.getDocFromPageId(DomainObjectFactory.java:89)
> at
> com.xpn.xwiki.xmlrpc.ConfluenceRpcHandler.renderContent(ConfluenceRpcHandler.java:682)
> {noformat}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.xwiki.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
notifications mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/notifications
