Description
Each user's MoinEditorBackup is private to them because of an acl, but the MoinEditorBackup can become public if the last page you were editing itself contains a more public acl.
This could:
- make edits that you decided to cancel visible to others
- reduce users' confidence in the security system if they see that someone else can see their canceled edits
Compromised MoinEditorBackup pages can be found easily (accidentally) because they appear in indexes and as a result of searches.
Example
A MoinEditorBackup page automatically gets an acl specific to the user, like:
#acl JoeBloggs:read,write,delete
But, if JoeBloggs opens a page to edit that has:
#acl StudentGroup:read,write
...makes some changes, previews them, then cancels their edit, anyone in StudentGroup can read and write to JoeBloggs/MoinEditorBackup because it contains:
#acl JoeBloggs:read,write,delete #acl StudentGroup:read,write
Details
MoinMoin Version |
1.2.3 |
Workaround
After editing a page with an acl, either:
manually edit (or erase) your MoinEditorBackup; or
edit (or preview then cancel) another page so that your MoinEditorBackup no longer contains sensitive information.
Possible Fixes:
limit the search for acl's to finish at some point (maybe ----) then introduce that markup into the top of the MoinEditorBackup page; or
- change the generated acl to read
#acl JoeBloggs:read,write,delete All:
Discussion
Bug submission by ChrisGaskett.
Related to MoinMoinBugs/FullSearchSearchInEditorBackup but more serious because it allows users to unexpectedly read or edit another user's MoinEditorBackup.
Editor backups are not shown in any page list in moin--main--1.3 about 50 patches ago 
Plan
- Priority:
- Assigned to:
- Status: Fixed in moin-1.3, will be fix in moin 1.2.4 also.