Security Specifications

What defines a bug as opposed to a feature?
A bug is a behavior which deviates from the specification.

A security flaw is a behavior which deviates from the specification, allowing users to do things which
specification compliant code would not allow them to do.

In order for developers to understand what is a security bug and what is not and in order for users to
know whether XWiki meets their security requirements, it is very important that everyone knows what the
specification allows the user to do.

1. Anonymous Guests

Guests are defined as members with the name XWiki.XWikiGuest. It is as if all guest users are logged in using that name.

• 1.1 If XWiki.XWikiPreferences option guest_comment_requira_captcha exists and is set true, guests MAY NOT leave a comment on a document without correctly solving an image captcha puzzle.

2. Members

• 2.1 Members MAY view all documents which allow view permission for their name, possibly running script which was written in that document by members.
• 2.2 Members MAY add a comment to a document if the their name has a permission called "comment" on that document.
• 2.3 Members MAY create documents, edit document content, add and modify XObjects, and add attachments to documents if given a permission called "edit" on those documents.
• 2.4 Members MAY delete documents (including irreversible deletion) if they have a permission called "delete".
• 2.5 Members MAY register new user names if they have a permission called "register" on the document XWiki.XWikiPreferences. This is usually only applicable to guests.

3. Comments

A comment is an XObject the class XWiki.XWikiComment. Comments will be displayed at the bottom of the page by javascript or separately if the request ends with ?viewer=comments.

• 3.1 Comments MAY contain any and all wiki markup of the same syntax as the document.
• 3.2 Comments Will be evaluated as if they were authored by XWiki.XWikiGuest, NOT the author of the document (comments may NEVER have programming right).
• 3.3 Comments MAY NOT cause javascript to be executed on the viewer's computer.
• 3.4 Comments MAY NOT cause CSS style sheets to be evaluated on the viewer's computer.
• 3.4 Comments MAY NOT cause a page to be displayed in an iFrame on the viewer's computer.
• 3.5 Comments MAY NOT cause the viewer's browser to redirect to another webpage.
• 3.6 Saving of a comment WILL NOT cause the content author of the document to change.

4. XObject

An XObject is a structure which may be added to a Document. It may contain any of a number of properties.

• 4.1 XObjects MAY NOT cause anything to be evaluated when viewing or editing the document unless specifically loaded and displayed by code in the document's content.

5. Content Author

The content author is the last editor of the content of a document.

• 5.1 Saving of a document with a new or modified XObject WILL cause the content author to change.
• 5.2 Saving of a document with modified content WILL cause the content author to change.
• 5.3 Saving of a document with modified title WILL cause the content author to change.
• 5.4 There MUST be no way to change the document content without making yourself become the content author of the document.

6. Programming Right

Programming right is permission to run scripts other than velocity and to access protected API.

• 6.1 Programming right exists only for users who have a permission called "programming" on the document XWiki.XWikiPreferences in the main wiki (if there is a multiwiki farm).
• 6.2 A user who has programming right MAY execute arbitrary script, load java classes, view and modify private fields with reflection, modify files, and spawn additional processes.
• 6.3 Wiki syntax which is rendered in a document whose content author is a user having programming right is evaluated as if it has programming right.
• 6.4 The only part of a document which MAY have programming right is the document content and any part which is called, rendered or otherwise granted permission by said content.

7. Document Content

Document content is the main part of the document, it is what will be rendered when a user views a document.

• 7.1 Document content MAY contain javascript, CSS, iframes, and browser redirects.
• 7.2 Document content MAY contain velocity script (it may also contain other types of server side script if the content author has programming right).
• 7.3 When viewing a document, the document's title is part of Document Content and has the same power. Anywhere else in the wiki, the document title must not have any powers which are not available to a comment.

8. Velocity Script

The one type of script offered to editors who do not have programming right.

• 8.1 Velocity script MAY load and save documents in the name and with the permissions of the viewer of that script.
• 8.2 Velocity script MAY load and save documents in the name and with the permissions of the content author of the document where it resides.
• 8.3 Velocity script MAY send arbitrary HQL select queries to the database but MAY ONLY retreve lists of document names from the database.
• 8.4 Velocity script MAY read files from the filesystem ONLY if they are contained in the /templates/ or /resources/ directories of the webapp context.
• 8.5 Velocity script MAY NOT load classes or instantiate objects*.
• 8.6 Velocity script MAY request the execution of non velocity script in another page if that page has programming right.
• 8.7 The output of a Velocity script WILL be parsed as wiki syntax but MAY NOT become the syntax for another script (this applies to all script types in the 2.0 rendering system).

* Velocity allows for the instantiation of HashMap, ArrayList, and String objects and velocity scripts can call Java APIs which may return newly instantiated objects.