$s ignores publishing status of pages

A place to report and discuss bugs - please mention CMSimple-version, server, platform and browser version
Post Reply
cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:
Contact cmb

$s ignores publishing status of pages

Post by cmb » Sun Jan 18, 2015 10:04 pm

Hello Community,

while fixing Locator shows unpublished first page as "Home" I've noticed that $s ignores the publishing status of pages, i.e. even if the requested page is unpublished, $s is set as if it wasn't. One issue that is caused by this faulty behavior can be seen in the locator. Requesting an unpublished page shows the same output as if the page was not published, while requesting a non existant page shows "Error 404: Not found". Actually, this is an Information Exposure Vulnerability (albeit a minor one), because a visitor must not be able to find unpublished pages.

I have fixed that with r1462+r1463.

However, this raises a new issue: after switching an unpublished page to view mode, switching to edit mode will change to the first page. This happens because of the first if statement in XH_adminMenu() (by the way, I'm not sure why $su is reset here; seems somewhat strange). Fixing the issue is likely to require another global variable[1], which would either store the indexes of unpublished pages ($hc style), or flags signalling whether a pages is hidden ($h style). OTOH, this variable would simplify the $_XH_firstPublishedPage detection, and could even used to get rid of $_XH_firstPublishedPage, but this variable might already be used by custom code. So, I'm not sure whether we should regard this issue as a bug, or merely as an improvable behavior[2] (similar to the "No page selected" message which pops up from time to time in edit mode).

[1] More generally, it requires global state, but PHP 4 doesn't allow to tag a class member as static, while PHP 5 throws an E_STRICT if a non statically declared member is accessed statically.
[2] While we have a regression against former CMSimple_XH versions, classic CMSimple behaves as XH with these patches.
Christoph M. Becker – Plugins for CMSimple_XH
Top
manu
Posts: 1090
Joined: Wed Jun 04, 2008 12:05 pm
Location: St. Gallen - Schweiz
Contact:
Contact manu

Re: $s ignores publishing status of pages

Post by manu » Mon Jan 19, 2015 8:20 am

I tend to "improvable behaviour", as it reacts exactly as defined if I change to view mode.
Top
svasti
Posts: 1659
Joined: Wed Dec 17, 2008 5:08 pm

Re: $s ignores publishing status of pages

Post by svasti » Mon Jan 19, 2015 1:57 pm

manu wrote:I tend to "improvable behaviour", as it reacts exactly as defined if I change to view mode.
+1
Top
cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:
Contact cmb

Re: $s ignores publishing status of pages

Post by cmb » Mon Jan 19, 2015 8:53 pm

Okay. I have put this issue on the 1.7 roadmap.
Christoph M. Becker – Plugins for CMSimple_XH
Top
Post Reply

Return to “Bugs”