|Title|Others user's login name should not be allowed as full name
|Date|22-Aug-2006 09:29:33 EEST
|Submitter|Candid Dauth
|[Bug criticality]|CriticalBug
|Browser version|*
|[Bug status]|ClosedBug
|[PageProvider] used|
|Servlet Container|tomcat-5.5
|Operating System|GNU/Linux
|Java version|sun-jdk1.5.0_07

Currently, we are running JSPWiki 2.2.33. Thus, ACLs are defined using the users' login names. We want to upgrade to the 2.4.x series now, which supports setting a full name. Fortunately, I can't use another user's full name for myself, but in fact I can use his login name as full name. This will cause all the ACL settings for him defined using his login name also apply to me.

I propose not to allow setting another user's login name as full name at all.


Good catch.  Upgraded this, since this is a critical security flaw.

-- JanneJalkanen


This has been fixed in 2.4.52. Thanks for spotting this.

--Andrew Jaquith, 09-Sep-2006