Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-12859

Hidden pages' content can be viewed without permission using copypage.action

      If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL.
      EG:
      Two spaces A and B
      Page with id 1 is in Space A
      User cannot see Space A
      User can see Space B

      The following URL will allow the user to copy the page to space B and view its content.

      http://confluence.example.com/pages/copypage.action?spaceKey=B&idOfPageToCopy=1
      

        1. CopyPageAction.class-2.6.2
          6 kB
        2. CopyPageAction.class-2.7.3
          6 kB
        3. CopyPageAction.class-2.8.2
          6 kB
        4. CopyPageAction.java-2.6.2
          4 kB
        5. CopyPageAction.java-2.7.3
          4 kB
        6. CopyPageAction.java-2.8.2
          4 kB

            [CONFSERVER-12859] Hidden pages' content can be viewed without permission using copypage.action

            Java 1.4 compiled 2.6.2 patch attached.

            Paul Curren added a comment - Java 1.4 compiled 2.6.2 patch attached.

            Attached the patched java files for 2.7.3 and 2.8.2.

            Chris Kiehl added a comment - Attached the patched java files for 2.7.3 and 2.8.2.

            I attached patched class files for versions 2.8.2 and 2.7.3 of Confluence. Please refer to the installation instructions.

            The subdirectories for the class file are com/atlassian/confluence/pages/actions/. You need to remove the "-<version>" from the class file before copying it.

            Chris Kiehl added a comment - I attached patched class files for versions 2.8.2 and 2.7.3 of Confluence. Please refer to the installation instructions . The subdirectories for the class file are com/atlassian/confluence/pages/actions/ . You need to remove the "-<version>" from the class file before copying it.

            Don Willis added a comment -

            Permissions are now checked on the page being copied.

            Don Willis added a comment - Permissions are now checked on the page being copied.

            This issue was reported to support by Neeraj Jhanji

            Don Willis added a comment - This issue was reported to support by Neeraj Jhanji

              don.willis@atlassian.com Don Willis
              don.willis@atlassian.com Don Willis
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: