One comment in the blog post[1] about the RSS Aggregator Macro[2] warns
against a serious security flaw: the extension is embedding in the page's
wiki markup strings it reads from the web (RSS feeds); if these strings
contain wiki code such as this:
<title>Let's execute some groovy: {{groovy}}println
"id".execute().getText(){{/groovy}}</title>
then it would allow random code to be executed on the server.
I investigated the issue and my current understanding is that this
vulnerability has been addressed at XWiki itself, when nested scripts[3]
were disabled in v. 2.4M2[4].
Am I correct to assume this vulnerability has been closed and that it's
safe to run this extension?
[1]
http://www.velociter.fr/journal/XWiki-plus-groovy-is-love-the-10-lines-RSS-aggregator-macro
[2]
http://extensions.xwiki.org/xwiki/bin/view/Extension/RSS+Aggregator+Macro
[3]
http://extensions.xwiki.org/xwiki/bin/view/Extension/Script+Macro#HNestedscripts
[4]
http://www.xwiki.org/xwiki/bin/view/ReleaseNotes/ReleaseNotesXWikiEnterprise24M2#HScriptimprovements
_______________________________________________
users mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/users
