Information leak: Anonymous users can guess page names of restricted wikis

Question

Information leak: Anonymous users can guess page names of restricted wikis

sebix opened this issue 5 months ago · 8 comments

In wikis that are configured not to allow read access to unauthenticated anonymous users, these users can still find out which pages exist and which don't exist.

For existing pages, the error message is

Access Denied
You are not allowed to access this resource.

For non-existing pages, the error message is

Item not found
Item 'Home/DokumenteVonAnderenNicht' does not exist.

This was also mentioned in #791 (comment) by @ReimarBauer.

For consistency and to prevent unwanted information leaks, I propose always showing the "Access denied" when the user cannot see it as if the non-existent page existed.

RogerHaase commented 4 months ago

Agree

RogerHaase commented 3 months ago

ok

Answer 1 · 2024-09-06T13:22:11.000Z

I would recommend to change the error message in both cases to something like
"Item 'ITEMNAME' does not exist or you do not have permission".

@RogerHaase and @ThomasWaldmann, do you agree?

It will be a bit confusing if someone wants to add an item that already exists but the user does not have permission.

Answer 2 · 2024-10-13T16:14:35.000Z

Before I gonna touch the code and update all the translations, let's agree on a string :)

What about this?

The item '{item_name}' does not exist or you do not have permission to access it

It's a mix of the two strings currently in place.

Answer 3 · 2024-11-13T15:05:26.000Z

@sebix

I think you missed this change to the Development docs https://moin-20.readthedocs.io/en/latest/devel/development.html

install the pre-commit hook:

    pre-commit install  # pre-commit is used for code linting / auto-format

and the commit to master is hung up (and rather hidden).

If you click on the red X above and then click on Details you will see Black is complaining about some code formatting.

I think a way to fix this is to:

run the "pre-commit install" command
make a minor change to views.py, then try to commit
Black will complain about the code format, and correct it automatically
do de-stage, stage cycle
commit, push

Answer 4 · 2024-11-25T11:31:26.000Z

Thanks, pre-commit was indeed missing.

How can I get the templates translated? I followed https://moin-20.readthedocs.io/en/latest/devel/translate.html to extract, update and compile the locales, but I still see the English text instead of the translated German one.

Answer 5 · 2024-11-25T13:10:18.000Z

Can you check the timestamps in your running environment for translations/de/LC_MESSAGES/messages.po and messages.mo? The messages.po should contain your changes and messages.mo should have a newer timestamp. The messages.mo is created by 'pybabel compile' and is read on each start of the webserver.

The line '#, fuzzy' can be deleted from translations that you have updated. I don't know if this has any impact.

Answer 6 · 2024-11-26T11:15:09.000Z

The line '#, fuzzy' can be deleted from translations that you have updated. I don't know if this has any impact.

That did the trick! Thank you!