Description
In MoinMoin 1.9.2, an attempt by an unauthorized user to create a page fails when they attempt to edit it, but leaves a junk directory behind in data/pages. It appears that the ACL is not checked at page creation time.
Steps to reproduce
- Set acl_rights_* to give no permissions to users who aren't logged in.
Log out and navigate to a page that doesn't exist (e.g. NoSuchPage).
- Attempt to create it anyway.
- You will get an error message saying that you don't have permission to write the page.
Look in data/pages directory to find NoSuchPage directory and empty NoSuchPage/edit-log.
Example
Component selection
- general
Details
MoinMoin Version |
1.9.2 |
OS and Version |
Mac OS X 10.6 |
Python Version |
2.6.1 |
Server Setup |
Apache CGI |
Server Details |
|
Language you are using the wiki in |
English |
Workaround
Delete junk directories from time to time (a little dangerous) or ignore them.
Discussion
The behaviour allows for a denial of service attack, where the server relies on a filesystem which limits the number of permissible subdirectories. Overloading an ext2 filesystem for example is relatively easy and prevents users from creating legitimate pages.
Note: the acl is of course checked, but some bad code triggered the creation of the empty edit-log when displaying the "not allowed" response.
Plan
- Priority:
- Assigned to:
Status: (hopefully) fixed by http://hg.moinmo.in/moin/1.9/rev/6489ec33874d - please test