Changes for page Release Notes for XWiki 9.8-rc-1
Last modified by Gabriela Anechitoaei on 2017/09/26
Change comment:
There is no comment for this version
Summary
-
Page properties (2 modified, 0 added, 0 removed)
Details
- Page properties
-
- Author
-
... ... @@ -1,1 +1,1 @@ 1 -XWiki. ThomasMortagne1 +XWiki.mflorea - Content
-
... ... @@ -61,10 +61,16 @@ 61 61 62 62 When upgrading make sure you compare your ##xwiki.cfg##, ##xwiki.properties## and ##web.xml## files with the newest version since some configuration parameters may have been modified or added. Note that you should add ##xwiki.store.migration=1## so that XWiki will attempt to automatically migrate your current database to the new schema. Make sure you backup your Database before doing anything. 63 63 64 -== IssuesspecifictoXWiki <version>==64 +== Database List Property Values == 65 65 66 - <issuesspecificto the project>66 +We fixed a few security issues around Database List properties by: 67 67 68 +* restricting the type of explicit query you can use on the Database List definition based on the class author rights 69 +* evaluating the Velocity code from the explicit query only if the class author has script right 70 +* checking if the current user has the right to view the returned values (when implicit query is used) 71 + 72 +This may break existing applications if they use Database List properties and the last author of the class that holds the property definition doesn't have sufficient rights. 73 + 68 68 == API Breakages == 69 69 70 70 The following APIs were modified since <project> <version - 1>: