[
http://jira.xwiki.org/jira/browse/XWIKI-726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_22484
]
dede commented on XWIKI-726:
----------------------------
http://blogs.vibbo.co.uk/downloadpornsex
http://blogs.vibbo.co.uk/movieporn
http://blogs.vibbo.co.uk/pornmoviedownload
http://blogs.vibbo.co.uk/sexmoviedownload
http://blogs.vibbo.co.uk/downloadpornmovie
http://blogs.vibbo.co.uk/sexdownloadmovie
http://blogs.vibbo.co.uk/downloadsexmovie
http://blogs.vibbo.co.uk/porndownloadsex
http://blogs.vibbo.co.uk/sexpornpic
http://blogs.vibbo.co.uk/pornsexdownload
http://blogs.vibbo.co.uk/porndownload
http://blogs.vibbo.co.uk/downloadporn
http://porn.ducky.co.za
http://porn.sblogsite.com
http://porn.inntouch.com
http://oafpack.com/porn
http://blogs.trota-mundos.com/porn
http://porn.edgereport.com
http://porn.webcristiano.org
http://sexdownload.ducky.co.za
http://hugecocks.ducky.co.za
http://hugegaycock.ducky.co.za
http://gaycocks.ducky.co.za
http://cocksex.ducky.co.za
http://pussy.ducky.co.za
http://dicks.ducky.co.za
http://lesbianpussy.ducky.co.za
http://freeporn.ducky.co.za
http://animepornmovies.ducky.co.za
http://animeporncomics.ducky.co.za
http://freepornvideos.ducky.co.za
http://pornsexdownload.ducky.co.za
http://pornmovie.ducky.co.za
http://fullporn.ducky.co.za
http://pornvideo.ducky.co.za
http://adultvideos.ducky.co.za
http://downloadsexdownload.ducky.co.za
http://downloadpornfilms.ducky.co.za
http://pornmoviesdowloads.ducky.co.za
http://hardcoreporn.sblogsite.com
http://maturehardcoreporn.sblogsite.com
http://xxxpornvideos.sblogsite.com
http://lesbianporn.sblogsite.com
http://sexmovies.sblogsite.com
http://amaturepornvideos.sblogsite.com
http://dowloadpornvideos.sblogsite.com
http://absulutlyfreesexmovies.sblogsite.com
http://adultpictures.sblogsite.com
http://freeadult.sblogsite.com
http://adultmovies.sblogsite.com
http://cartoonadult.sblogsite.com
http://downloadfree.sblogsite.com
http://freefuck.sblogsite.com
http://moviesdownload.sblogsite.com
http://freeamature.sblogsite.com
http://amauterporn.sblogsite.com
http://americanpornvideos.sblogsite.com
http://indianameteurs.sblogsite.com
http://downloadfuck.sblogsite.com
http://japanessanimation.inntouch.com
http://sexcartoons.inntouch.com
http://downloadarabic.inntouch.com
http://classicpornstars.inntouch.com
http://freenude.inntouch.com
http://sexvideo.inntouch.com
http://bigpussy.inntouch.com
http://cockstight.inntouch.com
http://miniskirt.inntouch.com
http://oafpack.com/pornmodels
http://oafpack.com/freevoyeur
http://oafpack.com/girlbeauty
http://oafpack.com/hugedicks
http://oafpack.com/freepornvideosmovies
http://oafpack.com/thumnailsbitchs
http://oafpack.com/moviempeg
http://oafpack.com/blackcock
http://oafpack.com/blackfuck
http://oafpack.com/girlmpeg
http://oafpack.com/blowjobvideos
http://oafpack.com/blowjobmpegs
http://oafpack.com/bighentai
http://oafpack.com/freempegboy
http://oafpack.com/playboys
http://oafpack.com/playboyfucked
http://oafpack.com/picturesnude
http://oafpack.com/nudebrazilianpics
http://oafpack.com/freebabes
http://oafpack.com/nicebutts
> "You are not allowed..." sets $doc to the actual document, regardless of the
> rights
> -----------------------------------------------------------------------------------
>
> Key: XWIKI-726
> URL: http://jira.xwiki.org/jira/browse/XWIKI-726
> Project: XWiki Core
> Issue Type: Bug
> Components: APIs, Authentication and Rights Management, Core
> Affects Versions: 1.0 B1, 1.0 B2
> Reporter: Sergiu Dumitriu
> Assigned To: Sergiu Dumitriu
> Priority: Critical
> Fix For: 1.0 B6
>
>
> This is a major security issue, since a user can create a custom skin which
> outputs $doc.content, and thus can view the contents of a page he would not
> have access to.
> The proper way of doing this:
> # if the user has view rights, then $doc, $cdoc and $tdoc should all be set
> (right now -- b2 -- $tdoc is not set)
> # otherwise, $doc, $cdoc and $tdoc should exist, but as shallow copies of the
> real document, holding only non-relevant information, such as name and web,
> and phony values for the other fields, like empty content, now() as creation
> and update dates, 1.1 as the version, etc.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.xwiki.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
notifications mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/notifications
