CVE-2022-41937 The XWiki Platform is a generic wiki platform that offers runtime services for applications built on it. The application allows anyone with view access to modify any page.
This happens because the import process is not aware of the Filter settings and imports the package with the default value. In XWiki 13.10, the default value for Filter.WebHome was changed to the wiki root, so the import process should now work as expected. In XWiki 14.6RC1 and 14.6, the Filter.WebHome setting is still set to the wiki root, so the import process does not work anymore. For XWiki 13.10 and 14.6, there is a patch that can be applied to change the default value for the Filter.WebHome setting to the wiki root and thus restore import functionality. Bugzilla: https://bugzilla.xenhance.com/show_bug.cgi?id=415532
As a workaround, set the Filter.WebHome setting to something in the local host file, e.g. /xwiki.
No Symlinks
Symlinks are not handled correctly in the import process. Symlinks are not used; instead, the import process creates local paths for different types of files. In XWiki 14.6RC1 and 14.6, the import process does not work anymore because symlinks are not used. There is a patch that can be applied to handle symlinks properly in the import process and restore import functionality.
Bugzilla: https://bugzilla.xenhance.com/show_bug.cgi?id=415532
How to change the default value for the Filter.WebHome setting from the wiki root to a local host value
To change the default value for the Filter.WebHome setting from the wiki root to a local host value, add a new line with the following text to your local host file:
Add the javascript snippet to import functionality back
In XWiki 14.6RC1 and 14.6, the Filter.WebHome setting is still set to the wiki root, so the import process does not work anymore. For XWiki 13.10 and 14.6, there is a patch that can be applied to change the default value for the Filter.WebHome setting to the wiki root and thus restore import functionality:
* In XWiki 13.10, add this javascript snippet to xconf/local-customizations/options-import-filter-webhome:
"Filter.WebHome": "xwiki:root"
* In XWiki 14.6RC1 and 14.6, add this javascript snippet to xconf/local-customizations/options-import-filter-webhome:
Importing from HTTPS to HTTP
The issue is caused by a configuration bug in the XML-based import process. In XWiki 13.10 and 14.6, import from HTTPS to HTTP fails because the Filter.WebHome setting is not updated automatically during the import process.
Upgrade XWiki 13.10 to 14.6RC1 or 14.6
In order to restore the import functionality, XWiki 13.10 needs to be upgraded to XWiki 14.6RC1 or XWiki 14.6 (the latest release). You can download those releases from here:
XWiki 13.10: http://download.xwiki.org/xwiki/nightly/14.6RC1-SNAPSHOT/xwiki-server-13-10-RC1-20151202143047-linux-ubuntu1404.tar.gz
XWiki 14.6RC1: http://download.xwiki.org/xwiki/nightly/14.6RC1-SNAPSHOT/xwiki-server-14-6rc1-20151202140441--linux-.tar
XWiki 14.6: http://download.xwiki.org/xwiki/nightly/14.6--20170119094546--linux-.tar
Timeline
Published on: 11/22/2022 01:15:00 UTC
Last modified on: 11/28/2022 14:42:00 UTC