Headline
CVE-2023-46743: The same file cannot be opened with different rights
application-collabora is an integration of Collabora Online in XWiki. As part of the application use cases, depending on the rights that a user has over a document, they should be able to open the office attachments files in view or edit mode. Currently, if a user opens an attachment file in edit mode in collabora, this right will be preserved for all future users, until the editing session is closes, even if some of them have only view right. Collabora server is the one issuing this request and it seems that the userCanWrite
query parameter is cached, even if, for example, token is not. This issue has been patched in version 1.3.
Impact
As part of the application use cases, depending on the rights that a user has over a document, he should be able to open the office attachments files in view or edit mode. Right now, if a user opens an atachment file in edit mode in collabora, this right will be preserved for all future users, until the editing session is closes, even if some of them have only view right.
Steps to reproduce:
- Login with user1 that has edit access on Sandbox.TestPage1 and access the page
- Got to the Attachments tab
- Click on New office file and create the test.odt file
- Remain with the editor opened for editing this file
- From an incognito browser window, login with user2 that has view access on Sandbox.TestPage1 and access the page
- Go to the Attachments tab
- Click on the Collabora button next to the newly created test.odt file
Expected result:
The file is opened in view mode
Actual result:
The file is opened in edit mode. So, the first person that opens a file will mark the edit action for all future editors as long as the window is still opened. Because of this, if a user with view right will be the first to open a file, user with edit rights won’t be able to edit it as long as the editor is opened.
Investigation
The problem comes from here. Collabora server is the one issuing this request and it seems that the userCanWrite query parameter is cached, even if, for example, token is not. But probably because it expects the token but no other parameters.
Patches
The issue has been fixed as part of Application Collabora 1.3 by 60c6e40
Workarounds
There are no known workarounds besides upgrading.
References
No references.