[dokuwiki] Restricted content leaking through RSS
- From: Sander Tekelenburg <tekelenb@xxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Wed, 6 May 2009 06:39:10 +0200
Hi,
I have a Dokuwiki install here of which it was just discovered that all
content is available through RSS, despite the fact that *no* content is
configured to be public at all.
What's interesting is that subscribing to a feed with the username &
passphrase parameters, the feed does in fact correctly show only content that
that user is configured to have access to. But subscribing to the main feed,
for someone who can guess that URL, gives anyone access to all content.
I've combed through acl.auth.php but don't spot anything wrong there.
Any idea what might be causing this?
(Access to the wiki's web pages does work correct btw -- only registered
users are allowed entry, and only to those sections defined by the ACLs.)
Important: this is an antique Dokuwiki, "Release 2006-11-06". But [1] as far
as we know this issue is relatively new -- the feeds used to respect ACLs and
[2] unfortunately we can't upgrade right this minute. Plus I've no indication
whether an upgrade would magically solve this issue anyway :) (Unless this
would be a known and fixed bug, of course. But I don't see anything obvious
pointing at that at <http://www.dokuwiki.org/changes>.)
--
Sander Tekelenburg, <http://www.euronet.nl/~tekelenb/>
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
Other related posts:
