Security problem displaying result of search, changes, mailnotify, and viewing revisions

When user display search result (standard display) or display History or receive e-mail (Notify) in the lists is possible to view part of topic with restricted access (ALLOWTOPICVIEW). Revisions (even the latest) can also always be viewed.

Test case

The problem, TWiki.pm is method "makeTopicSummary" without permission test; I have path it with:

---

www:/opt/twiki/lib # diff -b -B TWiki.pm TWiki.pmOLD
1135,1136d1134
<   # GuidoBrugnara test permission in function makeTopicSummary called by search, mailnotify & changes after calling readFileHead
<   if( &TWiki::Access::checkAccessPermission( "view", $TWiki::wikiUserName, $theText, $theTopic, $theWeb ) ){
1172,1174d1169
<   }else{
<     return "No permission to read topic $theWeb.$theTopic\n";
<   }
#

---

In the program "mailnotify" the user "nobody", used to generate the lists for all users, is the security problem;
I have path the program mailnotify: first it read the user list signed in WebNotify, second generate the list for every user (Ok it is not speedy but the privacy is respected)

Fix record

• mailnotify: "mailnotify" program in twiki/bin/

Environment

TWiki version:	TWikiRelease01Feb2003
TWiki plugins:	DefaultPlugin, EmptyPlugin, InterwikiPlugin
Server OS:	linux
Web server:	apache
Perl version:	5.6.1
Client OS:	linux
Web Browser:	Mozilla 1.4

-- GuidoBrugnara - 27 Oct 2003

Thank you for bringing this to our attention.

ALLOWTOPICVIEW is an undocumented feature, it was not mentioned in the TWikiRelease01Feb2003 docs. The latest docs State: "Technically it is possible to restrict read access to an individual topic based on DENYTOPICVIEW / ALLOWTOPICVIEW preferences variables, provided that the view script is authenticated. However this setup is not recommended since all content is searchable within a web - a search will turn up view restricted topics." I changed the classification from BugReport to FeatureEnhancementRequest because of this.

There are other places that needs to be fixed as well before we can officially document that feature. As always, performance tests & tunes need to be done before rolling out changes that affect the performance.

-- PeterThoeny - 27 Oct 2003

ALLOWTOPICVIEW works fine when normal view ist used. However, once a non-authorized user views a particular revision of the page by adding something like ?rev=1.2, e.g. selecting the last revision number (which can easily be guessed by trying), this user can see the particular revision of that page without having the right to do so. After this, the user can even view the latest revision page without adding the revision ending. I changed the title of this topic to take this into account.

-- WolfgangSlany - 02 Dec 2003