severity 533673 normal thanks On Fri, 2009-06-19 at 14:00 -0400, Michael S. Gilbert wrote: > > moin in stable/oldstable has a heirarchical ACL vulnerability. this > is fixed in upstream 1.8.4, which is already in unstable. see [1]. > please coordinate fixes with the security team.
I have analyzed the code, and made some test. It seems that there is no such "ACL vulnerability". Actually it doesn't even seems to be a bug: The developers seems to have decided to change the behavior of ACLs in moinmoin: Until moinmoin 1.8.3, the ACL were evaluated as if the ACLs of parent pages were concatenated, like this include_acl(acl_rights_before) include_acl(PageFoo/SubPageBar/SubSubPageBaz) include_acl(PageFoo/SubPageBar) include_acl(PageFoo) include_acl(acl_rights_default) include_acl(acl_rights_after) => This is consistent with the way ACL are documented in: http://master17.moinmo.in/HelpOnAccessControlLists#HierarchicalACLprocessing The new behavior in 1.8.4 would be to use the parent page only it the page has absolutely no ACL. include_acl(acl_rights_before) if has_acl(PageFoo/SubPageBar/SubSubPageBaz) include_acl(PageFoo/SubPageBar/SubSubPageBaz) elseif has_acl(PageFoo/SubPageBar) include_acl(PageFoo/SubPageBar) elseif has_acl(PageFoo) include_acl(PageFoo) include_acl(acl_rights_default) include_acl(acl_rights_after) => The documentation for moin 1.8/1.9 needs to be updated. I am waiting for upstream's feedback on this issue, but if this confirmed, it means that it neither a vulnerability not a bug. Franklin -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
