TitleOthers user's login name should not be allowed as full name
Date22-Aug-2006 09:29:33 EEST
Version2.4.33
SubmitterCandid Dauth
Bug criticalityCriticalBug
Browser version*
Bug statusClosedBug
PageProvider used
Servlet Containertomcat-5.5
Operating SystemGNU/Linux
URL
Java versionsun-jdk1.5.0_07

Currently, we are running JSPWiki 2.2.33. Thus, ACLs are defined using the users' login names. We want to upgrade to the 2.4.x series now, which supports setting a full name. Fortunately, I can't use another user's full name for myself, but in fact I can use his login name as full name. This will cause all the ACL settings for him defined using his login name also apply to me.

I propose not to allow setting another user's login name as full name at all.


Good catch. Upgraded this, since this is a critical security flaw.

-- JanneJalkanen


This has been fixed in 2.4.52. Thanks for spotting this.

--Andrew Jaquith, 09-Sep-2006

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-4) was last changed on 09-Sep-2006 20:45 by 24.218.63.149