[CONFSERVER-12860] Hidden pages' content can be viewed without permission using diffpages.action

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 2.9.1
Affects Version/s: 2.4.3, 2.9
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL.
EG:
Two spaces A and B
Page with id 1 is in Space A
Page with id 2 is in Space B
User cannot see Space A
User can see Space B

The following URL will allow the user to view a diff of the two pages, thus easily deriving the content of the page in the hidden space.

http://confluence.example.com/pages/diffpages.action?pageId=2&originalId=1

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

AbstractDiffPagesAction.class-2.6.2
23/Dec/2008 6:44 AM
3 kB
Paul Curren
AbstractDiffPagesAction.class-2.7.3
26/Aug/2008 11:55 PM
3 kB
Chris Kiehl
AbstractDiffPagesAction.class-2.8.2
26/Aug/2008 11:55 PM
3 kB
Chris Kiehl
AbstractDiffPagesAction.java-2.6.2
23/Dec/2008 6:44 AM
2 kB
Paul Curren
AbstractDiffPagesAction.java-2.7.3
04/Sep/2008 12:15 AM
2 kB
Chris Kiehl
AbstractDiffPagesAction.java-2.8.2
04/Sep/2008 12:15 AM
2 kB
Chris Kiehl

is related to

CONFSERVER-12859 Hidden pages' content can be viewed without permission using copypage.action

Closed

Paul Curren added a comment - 23/Dec/2008 6:44 AM

Java 1.4 compiled 2.6.2 patch attached.

Paul Curren added a comment - 23/Dec/2008 6:44 AM Java 1.4 compiled 2.6.2 patch attached.

Chris Kiehl added a comment - 04/Sep/2008 12:15 AM

Attached patched source files for 2.7.3 and 2.8.2

Chris Kiehl added a comment - 04/Sep/2008 12:15 AM Attached patched source files for 2.7.3 and 2.8.2

Chris Kiehl added a comment - 26/Aug/2008 11:55 PM

I attached patched class files for versions 2.8.2 and 2.7.3 of Confluence. Please refer to the installation instructions.

The subdirectories for the class file are com/atlassian/confluence/pages/actions/. You need to remove the "-<version>" from the class file before copying it.

Chris Kiehl added a comment - 26/Aug/2008 11:55 PM I attached patched class files for versions 2.8.2 and 2.7.3 of Confluence. Please refer to the installation instructions . The subdirectories for the class file are com/atlassian/confluence/pages/actions/ . You need to remove the "-<version>" from the class file before copying it.

Don Willis added a comment - 26/Aug/2008 6:07 AM

Permissions are now checked on both pages being diffed.

Don Willis added a comment - 26/Aug/2008 6:07 AM Permissions are now checked on both pages being diffed.

Don Willis added a comment - 25/Aug/2008 10:34 AM

This issues was reported to support by Neeraj Jhanji

Don Willis added a comment - 25/Aug/2008 10:34 AM This issues was reported to support by Neeraj Jhanji

Assignee:: Don Willis

Reporter:: Don Willis

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 25/Aug/2008 10:33 AM

Updated:: 11/Oct/2018 8:36 AM

Resolved:: 26/Aug/2008 6:07 AM

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

Collapse comment: Paul Curren added a comment - 23/Dec/2008 6:44 AM

Expand comment: Paul Curren added a comment - 23/Dec/2008 6:44 AM

Collapse comment: Chris Kiehl added a comment - 04/Sep/2008 12:15 AM

Expand comment: Chris Kiehl added a comment - 04/Sep/2008 12:15 AM

Collapse comment: Chris Kiehl added a comment - 26/Aug/2008 11:55 PM

Expand comment: Chris Kiehl added a comment - 26/Aug/2008 11:55 PM

Collapse comment: Don Willis added a comment - 26/Aug/2008 6:07 AM

Expand comment: Don Willis added a comment - 26/Aug/2008 6:07 AM

Collapse comment: Don Willis added a comment - 25/Aug/2008 10:34 AM

Expand comment: Don Willis added a comment - 25/Aug/2008 10:34 AM

People

Dates