Known Issues of TWiki Production Release 01-Sep-2004 - 04-Sep-2004

These are known issues of TWikiRelease01Sep2004, TWikiRelease02Sep2004, TWikiRelease03Sep2004 and TWikiRelease04Sep2004. The latter one is a production ready release, suitable for all TWiki deployments. Its code name is CairoRelease.

Security Alerts

• Security Audit: Crypt token based fix for cross-site request forgery vulnerability
  • Details in SecurityAuditTokenBasedCsrfFix, fixed in TWiki 4.3.2
• Security Alert: Cross-site request forgery vulnerability with image tag
  • Fix available in SecurityAlert-CVE-2009-1339, fixed in TWiki 4.3.1
• Security Alert: SessionPlugin allows arbitrary code execution in session files (CVE-2007-0669)
  • Fix available in SecurityAlert-CVE-2007-0669, fixed in TWiki 4.1.1
• Security Alert: Login bypass allows view of access restricted content, only with SessionPlugin on Apache 1.3 (CVE-2006-6071)
  • Fix available in SecurityAlert-CVE-2006-6071
• Security Alert: Secure webserver to prevent script execution of uploaded files (CVE-2006-3336)
  • Fix available in SecurityAlertSecureFileUploads, fixed in TWikiRelease04x00x04
• Security Alert: TWiki INCLUDE function allows DoS attack on itself
  • Fix available in SecurityAdvisoryDosAttackWithInclude and in TWikiRelease04x00x02
• Security Alert: TWiki INCLUDE function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithInclude
  • Patched production release TWikiRelease04Sep2004 available
• Security Alert: TWiki history function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithRev
  • Patched production release TWikiRelease03Sep2004 available
• Security Alert: TWiki search function allows arbitrary shell command execution
  • Fix available in SecurityAlertExecuteCommandsWithSearch
  • Patched production release TWikiRelease02Sep2004 available
• Security Audit: Check TWiki Installation for Visible Lib Directories
  • Suggestion available in SecurityAuditOnVisibleLibDir

• Note: See other TWikiSecurityAlerts

Major Issues

• Apache 2.0 fixes needed
  • Please report your experiences to IssuesWithApache2dot0
• Perl 5.8 updates needed
  • Please report your experiences to IssuesWithPerl5dot8
• Bug: WikiWords in non-English locales are not linked automatically
  • Fix available: Apply two patches, GermanUmlauteBreakWikiWords and CyrillicTopicNameError
  • Other internationalisation bugs are collected in InternationalisationIssues

Minor Issues

• ScriptToCreateNewWebWithAttachments - feature postponed
  • Right now the attachments will have to be checked and moved manually
• Login link is missing before being authenticated when using PatternSkin
  • Fix available for MissingTWikiGuestLeftBarInTWikiRelease01Sep2004
• When using PatternSkin, the "send feedback" link at the bottom always sends WebBottomBar as subject.
  • How to fix this is described in SendFeedbackDoesNotUseCurrentTopic.
• Links to version controlled attachments always shows latest version only
  • Fix available for AttachmentVersionsBrokenOnlyShowsLast

Major Browser Issues

• UnresolvedVarsInURL: PatternSkin requires setting USERLAYOUTURL and USERSTYLEURL in TWiki.TWikiPreferences

Minor Browser Issues

• Support.BrowserIssues: Known browser issues with work arounds
• Support.BrowserFormattingIssues: Known browser formatting issues
• Search results with PatternSkin: Internet Explorer shows formatting bugs with search results (WebChanges, changes template, formatted search in a topic). This is solved in an update of PatternSkin. Please download the latest version of PatternSkin.

Bug reports

It's also worth checking BugReports and KnownBugsOfTWiki01Sep2004, which lets you track open, assigned and resolved bugs. Many bugs are quite rare, and of course there may already be a fix.

NOTE: Please report a bug if you found an issue with this release. Below feedback is just for minor issues.

-- PeterThoeny - 16 Aug 2004

Feedback

Two observations with pattern skin:

• The personal left bar works only if view is authenticated. Is this mentioned somewhere?
• Mozilla 1.7.2 does not display the mail "Automated notification of topic changes" correctly when "Display attachments inline" is activated. (the leftbar overlays the text part of the mail)
  • I don't see this at all in twiki.org using Mozilla 1.5. By the way - is there a notification of single topic changes? -- AndrzejGoralczyk - 31 Aug 2004
  • I do see this problem using Mozilla 1.6 or Netscape 7.0, don't know if it's related to a specific skin though. -- StevePrior - 25 Oct 2004

Otherwise, great job. I really like the new look.

-- HeinrichNirschl - 31 Aug 2004

Distro is updated with these fixes: Added Main.WebLeftBar, Sandbox.WebLeftBar, enabled PatternSkin by default. See download links mentioned in CairoRelease.

-- PeterThoeny - 31 Aug 2004

Note that if you had customised your previous installation and want to get a list of what you changed, you might want to look at the TWikiReleaseTrackerPlugin

-- MartinCleaver - 01 Sep 2004

File not foundhttp://www.bkdesign.ca/cgi-bin/twiki/bin/ view/Main/ (USERSTYLEURL): Bad Request

Error from W3C Validator brought this issue to my attention. This was after removing the Sitemap from page as it was also generating errors from no img closing tags "/", and for some reason I was only able to fix a few of them. But that is another matter. For now I am looking at twiki.pattern.tmpl and debating what best to do with it...I noticed when I pasted the error report in here, empty.css replaced the code which is in the head of the pages...gotcha lol Update: After fixing the path in TWikiPreferences to empty.css, it threw an error: Uncaught error java.lang.Exception: Import loop detected in http://www.bkdesign.ca/twiki/pub/TWiki/PatternSkin/empty.css In empty.css that came with TWiki installation package it has: /**/ I removed it??

As I go through the site there are more errors, perhaps I should document these and fixes?

It would help a lot if each page had a "track this topic" link easy to find...

-- BruceRProchnau - 13 Jan 2005

Bruce, do you realise that your empty.css is not empty? In any case your report is better filed as a BugReport. It's easier to track that way. (and yes your right about the 'track this topic' idea. It's a frequently requested enchancement for which there are some topics around here for. Search for 'mailnotify')

BTW, nice looking site you have.

-- MattWilkie - 13 Jan 2005

Thanks Matt. It has changed since a lot. Some of these "errors" are mine

-- BruceRProchnau - 02 Feb 2005

I use PatternSkin. And I early hacked the source file so it ignored the USERLAYOUTwhatever vars? The issue a few people had was related to Firefox and cookies. It could happen that some had to authenticate 2-3 even 4 times. That was fixed by deleting all cookies. And it went away when upgrading Firefox from a 0.X version to 1.0. So if you see such behavour and only 1-2 clients have it - check for early versions of Firefox.

-- KennethLavrsen via TWikiIRC - 17 Mar 2005

"...some of these 'errors' are mine..." maybe so but not all of them, I also got the "Uncaught error java.lang.Exception: Import loop detected in..." error from w3c (which is how i found this topic) did a bug report ever get filed as suggested? if so its damn hard to find.

-- TravisBarker - 23 Apr 2005

NOTE: Please report a bug if you found an issue with this release. Please do not use this topic as a bug database, it is not maintainable!

-- PeterThoeny - 16 Aug 2004