From 9a59aa7a3cbb0e741b9b50b6b6ce8bd021b2479a Mon Sep 17 00:00:00 2001 From: Brett Profitt Date: Mon, 14 May 2012 17:35:53 -0700 Subject: Only caching access lists after ready, system fires. This prevents a bug where access lists could be cached and not cleared during plugin boot while access was disabled, which could expose entities set to ACCESS_PRIVATE. --- CHANGES.txt | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'CHANGES.txt') diff --git a/CHANGES.txt b/CHANGES.txt index f5cacac29..ae0cdc333 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -8,17 +8,19 @@ Version 1.8.5 Security Enhancements: * Fixed possible XSS vulnerability if using a crafted URL. * Fixed exploit to bypass new user validation if using a crafted form. + * Fixed incorrect caching of access lists that could allow plugins + to show private entities to non-admin and non-owning users. (Non-exploitable) Bugfixes: - * Twitter API: New users are forwarded to the correct page after creating - an account with Twitter. - * Files: PDF files are downloaded as "inline" to display in the browser. - * Fixed possible duplication errors when writing metadata with multiple values. - * Fixed possible upgrade issue if using a plugin uses the system_log hooks. - * Fixed problems when enabling more than 50 metadata or annotations. + * Twitter API: New users are forwarded to the correct page after creating + an account with Twitter. + * Files: PDF files are downloaded as "inline" to display in the browser. + * Fixed possible duplication errors when writing metadata with multiple values. + * Fixed possible upgrade issue if using a plugin uses the system_log hooks. + * Fixed problems when enabling more than 50 metadata or annotations. API: - * River entries' timestamps use elgg_view_friendly_time() and can be + * River entries' timestamps use elgg_view_friendly_time() and can be overridden with the friendly time output view. Version 1.8.4 -- cgit v1.2.3