Skip to content

ACL checks in the media file details ajax calls only for root/arbitrary namespace #765

Closed
@michitux

Description

@michitux

A comment in our old bug tracker alerted me of this issue: in the media manager ACLs are broken for all views for individual files if you have access to the root namespace or - in the case of the media diff ajax call - an arbitrary namespace.

I have reproduced this issue in my local DokuWiki installation, I can simply open an image I have no permission for in the media manager, I get a permission denied message in the media details tab and when I click on the detail tabs they load via ajax with the real content. The media diff ajax call is a bit more difficult to test as the ns parameter (but only that one) is a post parameter, but after changing the code to accept a get parameter as well I can clearly see that it uses the ns parameter for the permission check (and nothing else).

No actual file content is exposed, just the metadata, but the metadata can contain a lot of information (title, caption etc. from the exif metadata) and the full history is displayed, too. This also requires knowing the actual media file id.

So far I can see the following problems in the code:

  • in ajax_mediadetails(), $NS is not set, but in tpl_mediaFileDetails() $NS is used and its value is only checked when it is set (if(isset($NS) && getNS($image) != $NS) return;)
  • $AUTH is a cache for the permissions of the current media ns (wtf?) which is set by ajax_mediadiff() using the "ns" parameter as namespace without any checks if this is actually the namespace of the current media file. This check is done in tpl_mediaFileDetails() but not in media_diff() which is called in ajax_mediadiff().

I think a first fix could be to ignore the ns parameter in all ajax calls and instead set it based on the supplied image id.

I think we should fix this and release a hotfix release ASAP.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions