← Back to branch summary

~ubuntu-branches/ubuntu/hardy/moin/hardy-security

« back to all changes in this revision

Viewing changes to debian/patches/00825_SECURITY-fix_MonthCalendar_respect_ACLs.patch

  • Committer: Bazaar Package Importer
  • Author(s): Kees Cook
  • Date: 2007-05-14 15:55:15 UTC
  • mfrom: (0.4.1 upstream)
  • Revision ID: james.westby@ubuntu.com-20070514155515-apl4srcch40h9fcx
Tags: 1.5.7-3ubuntu1
* Merge from debian unstable, remaining changes:
  - 11000_show_traceback_toggle.patch: allow for 'show_traceback=0' in
    Moin configurations.

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/00825_SECURITY-fix_MonthCalendar_respect_ACLs.patch
 
1
# HG changeset patch
 
2
# User Thomas Waldmann <tw AT waldmann-edv DOT de>
 
3
# Date Mon Apr 02 23:05:14 2007 +0200
 
4
# Node ID 0e41a0429ee13f5bba8bca418bc5898df91c91f7
 
5
# parent: 5e758e78e32797bb9625bb210572881ac3841f23
 
6
MonthCalendar: ACL security fix
 
7
 
 
8
--- a/MoinMoin/macro/MonthCalendar.py   Sun Mar 18 23:14:08 2007 +0100
 
9
+++ b/MoinMoin/macro/MonthCalendar.py   Mon Apr 02 23:05:14 2007 +0200
 
10
@@ -389,7 +389,7 @@ def execute(macro, text):
 
11
                 else:
 
12
                     link = "%s/%4d-%02d-%02d" % (page, year, month, day)
 
13
                 daypage = Page(request, link)
 
14
-                if daypage.exists():
 
15
+                if daypage.exists() and request.user.may.read(link):
 
16
                     csslink = "cal-usedday"
 
17
                     query = {}
 
18
                     r, g, b, u = (255, 0, 0, 1)
 
19
--- a/docs/CHANGES      Sun Mar 18 23:14:08 2007 +0100
 
20
+++ b/docs/CHANGES      Mon Apr 02 23:05:14 2007 +0200
 
21
@@ -37,6 +37,7 @@ Version 1.5.current:
 
22
       does when clicking on those links.
 
23
 
 
24
   Bugfixes:
 
25
+    * ACL security fix: MonthCalendar respects ACLs of day pages now
 
26
     * Symbolic entities with numbers (like &sup2;) did not work, fixed.
 
27
     * Correct encoding/decoding for surge-log data, fixes leftover
 
28
       surge-logXXXXXXX.tmp files in data/cache/surgeprotect.
 
29