thanks for spotting it, Motohiko :-)

I've pushed 2.10.4-03 with a fix for this; instead of just returning
there's also a sendRedirect so the request can be routed to the Login.jsp
page, with the appropiate redirect parameter (I was getting a blank page
with the return alone). I'm also deploying a snapshot right now, so it
should be available in ~45 minutes.


best regards,
juan pablo

On Thu, Mar 29, 2018 at 3:01 PM, Motohiko Matsuda <m...@acm.org> wrote:

> Hi,
>
> First of all, thank you, developers of JSPWIKI.
> We are using JSPWIKI very nicely as an internal wiki for a long time.
>
> But, we needed to apply a fix before using JSPWIKI.
> It reveals the content of the "Main" page without login,
> when we omit the arguments to a JSP page.
> For example, just "https://xxx/xxx/Edit.jsp"; shows the Main page
> (omitting the following "?page=xxx").
> I have checked in 2.10.3, but it is not fixed.
>
> We are happy if it will contribute to JSPWIKI.
>
>         Regards,
>         Motohiko Matsuda
>
> Files need a fix:
>
> Comment.jsp
> Delete.jsp
> Diff.jsp
> Edit.jsp
> PageInfo.jsp
> PageModified.jsp
> Preview.jsp
> Rename.jsp
>
> The diff (all files need the same fix):
>
> --- Edit.jsp.org        Tue Feb 16 22:11:28 2016
> +++ Edit.jsp    Tue Oct 17 11:47:04 2017
> @@ -54,6 +54,8 @@
>      // Create wiki context and check for authorization
>      WikiContext wikiContext = wiki.createContext( request,
> WikiContext.EDIT );
>      if(!wiki.getAuthorizationManager().hasAccess( wikiContext, response
> )) return;
> +    if (wikiContext.getCommand().getTarget() == null) {return;}
>      String pagereq = wikiContext.getName();
>
>      WikiSession wikiSession = wikiContext.getWikiSession();
>

Reply via email to