Version 2018-11-29: Security fix for DokuWiki Greebo

If you are using the DokuWiki Greebo release and rely on ACL checks in
the include plugin, apply this change as soon as possible. Note that
this is only an issue with namespace includes, so if you do not use
namespace includes and edits are only allowed for users that have access
to your whole wiki, this does not concern you (but updating is still
recommended).

Note that this is a problem caused by a bug in DokuWiki release Greebo.
A future hotfix release of DokuWiki might fix this, too, see
dokuwiki/dokuwiki#2609 for further
information.

Author: michitux

helper.php

@@ -704,7 +704,7 @@ function _get_included_pages($mode, $page, $sect, $parent_id, $flags) {
             $ns    = utf8_encodeFN(str_replace(':', '/', $page));
             // depth is absolute depth, not relative depth, but 0 has a special meaning.
             $depth = $flags['depth'] ? $flags['depth'] + substr_count($page, ':') + ($page ? 1 : 0) : 0;
-            search($pagearrays, $conf['datadir'], 'search_allpages', array('depth' => $depth), $ns);
+            search($pagearrays, $conf['datadir'], 'search_allpages', array('depth' => $depth, 'skipacl' => false), $ns);
             if (is_array($pagearrays)) {
                 foreach ($pagearrays as $pagearray) {
                     if (!isHiddenPage($pagearray['id'])) // skip hidden pages

plugin.info.txt

@@ -1,7 +1,7 @@
 base   include
 author Michael Hamann, Gina Häussge, Christopher Smith, Michael Klier, Esther Brunner
 email  michael@content-space.de
-date   2018-04-24
+date   2018-11-29
 name   include plugin
 desc   Functions to include another page in a wiki page
 url    http://dokuwiki.org/plugin:include