IBM Support

PM75177: Menus may return items that a user does not have access to with WCM.PATH.TRAVERSAL.SECURITY

 

APAR status

  • Closed as program error.

Error description

  • In some cases links to content that a user does not have access
    to may be rendered in a menu.  This is when
    WCM.PATH.TRAVERSAL.SECURITY is true.
    
    Traces will show the following for the menu rendering these
    links:
      MenuQueryCach 3   Have hit maxItemsToCache threshold ::nnn::
    
    where nnn is the value of the setting  ᅠmenu.cache.max.items
    default is 300.
    

Local fix

  • Modify ᅠthe ᅠmenu ᅠdesign ᅠor ᅠthe ᅠmaximum ᅠitems ᅠthe ᅠcache.
    For example ᅠin ᅠthe ᅠmenu ᅠdesign ᅠchange ᅠthe ᅠread ᅠahead ᅠto
    d ᅠof
    10 ᅠor ᅠreduce ᅠthe ᅠitems ᅠper ᅠpage ᅠto ᅠlower value,
    or ᅠin ᅠthe ᅠWCMConfigService.properties ᅠfile ᅠ(requires ᅠresta
    ange ᅠthis ᅠsetting:
    
     ᅠ ᅠ ᅠ ᅠ ᅠ ᅠ ᅠmenu.cache.max.items ᅠ= ᅠ300
    
     ᅠ ᅠ ᅠ ᅠto ᅠa ᅠhigher value.
    

Problem summary

  • In some cases links to content that a user does not have access
    to may be rendered in a menu.  This is when
    WCM.PATH.TRAVERSAL.SECURITY is true.
    
    Traces will show the following for the menu rendering these
    links:
      MenuQueryCach 3   Have hit maxItemsToCache threshold ::nnn::
    
    where nnn is the value of the setting   menu.cache.max.items
    default is 300.
    

Problem conclusion

  • i-fix Name:     PM75177
    
    Problem Summary:
    Menus  may  return  items  that  a  user  does  not  have  acces
    with  WCM.PATH.TRAVERSAL.SECURITY
    
    Detailed Problem Description:
    In some cases links to content that a user does not have access
    to may be rendered in a menu when WCM.PATH.TRAVERSAL.SECURITY is
    true.
          Traces will show the following for the menu rendering
    these links:
              MenuQueryCach 3   Have hit maxItemsToCache threshold
    ::nnn::
    
    where nnn is the value of the setting  menu.cache.max.items
    default is 300.
    
    Problem Analysis:
    The maxItemsToCache threshold is hit and therefore the menu
    cache is no longer used instead the items are retrieved from the
    database as the user in question.  The issue is this operation
    was being performed without the WCM.PATH.TRAVERSAL.SECURITY
    being taken into consideration.
    
    Problem Solution:
    Updated code to ensure the WCM.PATH.TRAVERSAL.SECURITY is used
    even when items are retrieved from the DB as the user.
    
    Affected Users:
    All users
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM75177

  • Reported component name

    LOTUS WEB CONT

  • Reported component ID

    5724I2900

  • Reported release

    615

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-10-17

  • Closed date

    2012-10-17

  • Last modified date

    2012-10-17

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    LOTUS WEB CONT

  • Fixed component ID

    5724I2900

Applicable component levels

  • R615 PSY

       UP

[{"Business Unit":{"code":"BU051","label":"N\/A"},"Product":{"code":"SUPPORT","label":"IBM Web Content Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1.5","Line of Business":{"code":"LOB33","label":"N\/A"}}]

Document Information

Modified date:
20 December 2021