[Moin-devel] ANN: Security hole in 1.3.2 - Patch attached
Alexander Schremmer
2004b at usenet.alexanderweb.de
Mon Jan 24 09:06:09 EST 2005
Hi,
there was a report about a security issue today. We were able to confirm it
and created a patch that will fix this issue. Either apply the following
patch or copy the linked file into the directory which contains the
MoinMoin package. This is mostly the directory lib/site-packages.
The bug causes search results from pages the user can not
read to be displayed. When clicking on the link to the
page, the user is not able to read the full page, though.
For more information see
<http://moinmoin.wikiwikiweb.de/MoinMoinBugs/FullTextSearchIgnoresAcl>
Fixed search.py:
http://moinmoin.wikiwikiweb.de/MoinMoinBugs/FullTextSearchIgnoresAcl?action=AttachFile&do=get&target=search.py
I hope that there will be a new release today that contains this patch.
Kind regards,
Alexander
--- orig/MoinMoin/search.py
+++ mod/MoinMoin/search.py
@@ -1014,7 +1014,7 @@
if result:
if not filter:
# Filter deleted pages or pages the user can't read.
- if not page.exists() and request.user.may.read(name):
+ if not (page.exists() and request.user.may.read(name)):
continue
hits.append(FoundPage(name, result))
More information about the Moin-devel
mailing list