Version 2018-11-29: Security fix for DokuWiki Greebo

If you are using the DokuWiki Greebo release and rely on ACL checks in the include plugin, apply this change as soon as possible. Note that this is only an issue with namespace includes, so if you do not use namespace includes and edits are only allowed for users that have access to your whole wiki, this does not concern you (but updating is still recommended). Note that this is a problem caused by a bug in DokuWiki release Greebo. A future hotfix release of DokuWiki might fix this, too, see dokuwiki/dokuwiki#2609 for further information.
dokufreaks · Nov 29, 2018 · 6fba657 · 6fba657
1 parent cf08914
commit 6fba657
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/helper.php b/helper.php
@@ -704,7 +704,7 @@ function _get_included_pages($mode, $page, $sect, $parent_id, $flags) {
             $ns    = utf8_encodeFN(str_replace(':', '/', $page));
             // depth is absolute depth, not relative depth, but 0 has a special meaning.
             $depth = $flags['depth'] ? $flags['depth'] + substr_count($page, ':') + ($page ? 1 : 0) : 0;
-            search($pagearrays, $conf['datadir'], 'search_allpages', array('depth' => $depth), $ns);
+            search($pagearrays, $conf['datadir'], 'search_allpages', array('depth' => $depth, 'skipacl' => false), $ns);
             if (is_array($pagearrays)) {
                 foreach ($pagearrays as $pagearray) {
                     if (!isHiddenPage($pagearray['id'])) // skip hidden pages

diff --git a/plugin.info.txt b/plugin.info.txt
@@ -1,7 +1,7 @@
 base   include
 author Michael Hamann, Gina Häussge, Christopher Smith, Michael Klier, Esther Brunner
 email  michael@content-space.de
-date   2018-04-24
+date   2018-11-29
 name   include plugin
 desc   Functions to include another page in a wiki page
 url    http://dokuwiki.org/plugin:include