| Title | Others user's login name should not be allowed as full name |
| Date | 22-Aug-2006 09:29:33 EEST |
| Version | 2.4.33 |
| Submitter | Candid Dauth |
| Bug criticality | CriticalBug |
| Browser version | * |
| Bug status | ClosedBug |
| PageProvider used | |
| Servlet Container | tomcat-5.5 |
| Operating System | GNU/Linux |
| URL | |
| Java version | sun-jdk1.5.0_07 |
Currently, we are running JSPWiki 2.2.33. Thus, ACLs are defined using the users' login names. We want to upgrade to the 2.4.x series now, which supports setting a full name. Fortunately, I can't use another user's full name for myself, but in fact I can use his login name as full name. This will cause all the ACL settings for him defined using his login name also apply to me.
I propose not to allow setting another user's login name as full name at all.
Good catch. Upgraded this, since this is a critical security flaw.
This has been fixed in 2.4.52. Thanks for spotting this.
--Andrew Jaquith, 09-Sep-2006
Add new attachment
JSPWiki
- Features
- Download
- Documentation
- Templates
- Plugins
- Provider
- Filters
- Support
- FAQ
- Irc Channel
- Mailing List
- Weblog
- Applications
- Getting Involved
- JSPWIKI Testers
Development
Internet Search