Bug: viewfile does not check permissions
AFAICT the shippedviewfile script does not check permissions. This means that a footpad who knew the name of an attachment to a secured topic can access it. Worse, if the filename parameter is not passed, the footpad can get a listing of the pub directory for that topic.
-- CrawfordCurrie - 03 Dec 2004
Fixed in Dakar.
Topic revision: r3 - 2006-02-13 - CrawfordCurrie
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.