Description
When I enable the rst parser, the Moin include directive allows me to view pages where an ACL would normally prevent this. The inclue directive needs to be ACL aware.
Steps to reproduce
- Install docutils
Create a page with #!rst ..include:: PageWhosAclsNormallyPreventMeFromReading
- View the page you shouldn't be able to see.
Example
{{{#!rst .. include:: AcledPage
}}}
Component selection
MoinMoin/parser/rst.py:MoinDirectives::include()
Details
The MoinDirectives.include() method needs to deal with ACLs. Otherwise it allows people to view pages that they aren't supposed to have access to.
MoinMoin Version |
1.5.7, 1.6.0, 1.6.1 |
OS and Version |
Red Hat Enterprise Linux 4 |
Python Version |
python 2.3 |
Server Setup |
Runnng behind Apache |
Server Details |
|
Language you are using the wiki in (set in the browser/UserPreferences) |
|
Workaround
Disable include directive:
Patch MoinMoin/parser/rst.py:MoinDirectives::__init__() to disable include entirely.
Or disable rst parser:
Delete MoinMoin/parser/rst.py
If you installed rst wiki plugin wiki/data/plugin/parser/rst.py, delete it.
Or if you don't need rst, deinstall docutils (rst is disabled when docutils is not installed).
Discussion
Plan
- Priority:
- Assigned to:
- Status: Fixed on the:
1.5 branch by 4949ad88af4e
1.6 branch by http://hg.moinmo.in/moin/1.6/rev/35ff7a9b1546
1.7 branch by http://hg.moinmo.in/moin/1.7/rev/6eb96b8664b0
still needs to be tested