Description
A comment in our old bug tracker alerted me of this issue: in the media manager ACLs are broken for all views for individual files if you have access to the root namespace or - in the case of the media diff ajax call - an arbitrary namespace.
I have reproduced this issue in my local DokuWiki installation, I can simply open an image I have no permission for in the media manager, I get a permission denied message in the media details tab and when I click on the detail tabs they load via ajax with the real content. The media diff ajax call is a bit more difficult to test as the ns parameter (but only that one) is a post parameter, but after changing the code to accept a get parameter as well I can clearly see that it uses the ns parameter for the permission check (and nothing else).
No actual file content is exposed, just the metadata, but the metadata can contain a lot of information (title, caption etc. from the exif metadata) and the full history is displayed, too. This also requires knowing the actual media file id.
So far I can see the following problems in the code:
- in
ajax_mediadetails(),$NSis not set, but intpl_mediaFileDetails()$NSis used and its value is only checked when it is set (if(isset($NS) && getNS($image) != $NS) return;) $AUTHis a cache for the permissions of the current media ns (wtf?) which is set byajax_mediadiff()using the "ns" parameter as namespace without any checks if this is actually the namespace of the current media file. This check is done intpl_mediaFileDetails()but not inmedia_diff()which is called inajax_mediadiff().
I think a first fix could be to ignore the ns parameter in all ajax calls and instead set it based on the supplied image id.
I think we should fix this and release a hotfix release ASAP.