Tags:
create new tag
, view all tags

Bug: viewfile does not check permissions

AFAICT the shipped viewfile script does not check permissions. This means that a footpad who knew the name of an attachment to a secured topic can access it. Worse, if the filename parameter is not passed, the footpad can get a listing of the pub directory for that topic.

-- CrawfordCurrie - 03 Dec 2004

Fixed in Dakar.

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2006-02-13 - CrawfordCurrie
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.