Ticket #305 (closed defect: fixed)

Opened 4 years ago

Last modified 3 years ago

RSS and ACL on recent changes

Reported by: anonymous Owned by: DarTar
Priority: high Milestone: 1.1.6.3
Component: handlers Version: 1.1.6.2
Severity: major Keywords: security configuration feeds rss
Cc:

Description (last modified by DarTar) (diff)

As of 1.1.6.2 the recentchanges feed can disclose the name, revision date and optional edit note of private pages. This raises some privacy concerns, even though the content of private pages is not accessible via the feed.

Note

Secunia Advisory and the National Vulnerability Database have issued inaccurate security reports referring to this ticket and stating that content of private pages could be disclosed because of this bug, which is blatantly false.

Change History

Changed 4 years ago by DarTar

  • status changed from new to assigned
  • severity changed from normal to major
  • component changed from unspecified to handlers
  • summary changed from RSS and rights on recente changes page to RSS and ACL on recent changes
  • priority changed from normal to high
  • owner changed from unassigned to DarTar
  • milestone set to 1.1.6.3
  • keywords security configuration added

Changed 3 years ago by DarTar

(In [424]) Fixes ACL permissions on RecentChanges feeds, refs #305

Changed 3 years ago by DarTar

(In [425]) Fixes ACL permissions on RecentChanges feeds as per [424] in trunk, refs #305

Changed 3 years ago by DarTar

  • keywords feeds rss added
  • milestone changed from 1.1.7 to 1.1.6.3

Issue closed both in 1.1.6.3 and trunk

Changed 3 years ago by DarTar

  • status changed from assigned to closed
  • resolution set to fixed

Changed 3 years ago by DarTar

  • description modified (diff)

Changed 3 years ago by JavaWoman

  • status changed from reopened to closed
  • resolution set to fixed

closed again - was probably reopened by mass spam removal

Note: See TracTickets for help on using tickets.