[CONFSERVER-15809] Viewfile macros do not respect page restrictions

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 3.0
Affects Version/s: 2.10.3
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Add a page
Set viewing restrictions to user1 only
Add an attachment - 'Sample.doc'
Log in as user2 - confirm that you cannot see the restricted page
Add a page, and use the viewfile macro
Enter the location of the attachment on the restricted page

The contents of the attachment can now be viewed by user2. This is a serious violation of page permissions.

Ximon Eighteen added a comment - 09/Nov/2009 12:22 PM

To fix this in previous versions of Confluence, please upgrade to version 1.5 of the office connector.

Hello Andrew,

What is the correct way to perform this upgrade in Confluence 2.10.3? I wanted to test this so downloaded 2.10.4 for Windows (as 2.10.3 is no longer available due to the licensing change) and discovered:

The version of Office Connector listed in the Plugin Repository is 1.4.3 which is marked as unknown and it says the latest is 1.4.1.
No upgrade link is offered via the Plugin Repository.
The 1.4.3 jar file is inside the atlassian-bundled-plugins.zip and thus the jar inside the zip must be changed.

Another user asked on the Office Connector plugin page if 1.5 is compatible with 2.10.3 but the answer wasn't very clear.

If 1.5 is safe to use with Confluence 2.10.3 shouldn't the Plugin Repository list 1.5 as the latest available version?

Cheers,

Ximon

Ximon Eighteen added a comment - 09/Nov/2009 12:22 PM To fix this in previous versions of Confluence, please upgrade to version 1.5 of the office connector. Hello Andrew, What is the correct way to perform this upgrade in Confluence 2.10.3? I wanted to test this so downloaded 2.10.4 for Windows (as 2.10.3 is no longer available due to the licensing change) and discovered: The version of Office Connector listed in the Plugin Repository is 1.4.3 which is marked as unknown and it says the latest is 1.4.1. No upgrade link is offered via the Plugin Repository. The 1.4.3 jar file is inside the atlassian-bundled-plugins.zip and thus the jar inside the zip must be changed. Another user asked on the Office Connector plugin page if 1.5 is compatible with 2.10.3 but the answer wasn't very clear. If 1.5 is safe to use with Confluence 2.10.3 shouldn't the Plugin Repository list 1.5 as the latest available version? Cheers, Ximon

Andrew Lynch (Inactive) added a comment - 03/Jun/2009 2:19 AM

To fix this in previous versions of Confluence, please upgrade to version 1.5 of the office connector.

Regards,
Andrew Lynch

Andrew Lynch (Inactive) added a comment - 03/Jun/2009 2:19 AM To fix this in previous versions of Confluence, please upgrade to version 1.5 of the office connector . Regards, Andrew Lynch

RyanA added a comment - 29/May/2009 5:58 AM

looks fine

RyanA added a comment - 29/May/2009 5:58 AM looks fine

Anatoli added a comment - 22/May/2009 7:05 AM

still need to release the new version after the changes are reviewed.

Anatoli added a comment - 22/May/2009 7:05 AM still need to release the new version after the changes are reviewed.

Anatoli added a comment - 22/May/2009 7:01 AM

Added permission check to viewfile macro.

Anatoli added a comment - 22/May/2009 7:01 AM Added permission check to viewfile macro.

Paul Curren added a comment - 21/May/2009 10:19 AM

I presume this isn't specific to 3, but also existing in older versions of Confluence?

Either way, once we know about security issues like this our stated policy is to address it as soon as possible so i've targeted this for 3.0.

I've made it priority 2 and not 1 since it can be mitigated by not using this plugin.

Paul Curren added a comment - 21/May/2009 10:19 AM I presume this isn't specific to 3, but also existing in older versions of Confluence? Either way, once we know about security issues like this our stated policy is to address it as soon as possible so i've targeted this for 3.0. I've made it priority 2 and not 1 since it can be mitigated by not using this plugin.

Assignee:: Anatoli

Reporter:: Mark Hrynczak (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 0 Start watching this issue

Created:: 21/May/2009 8:05 AM

Updated:: 11/Oct/2018 9:01 AM

Resolved:: 31/May/2009 11:38 PM

Details

Description

Attachments

Forms

Activity

Collapse comment: Ximon Eighteen added a comment - 09/Nov/2009 12:22 PM

Expand comment: Ximon Eighteen added a comment - 09/Nov/2009 12:22 PM

Collapse comment: Andrew Lynch (Inactive) added a comment - 03/Jun/2009 2:19 AM

Expand comment: Andrew Lynch (Inactive) added a comment - 03/Jun/2009 2:19 AM

Collapse comment: RyanA added a comment - 29/May/2009 5:58 AM

Expand comment: RyanA added a comment - 29/May/2009 5:58 AM

Collapse comment: Anatoli added a comment - 22/May/2009 7:05 AM

Expand comment: Anatoli added a comment - 22/May/2009 7:05 AM

Collapse comment: Anatoli added a comment - 22/May/2009 7:01 AM

Expand comment: Anatoli added a comment - 22/May/2009 7:01 AM

Collapse comment: Paul Curren added a comment - 21/May/2009 10:19 AM

Expand comment: Paul Curren added a comment - 21/May/2009 10:19 AM

People

Dates