Bug: Topics With Passwd In Name Cannot Be Included
TWikiDotPm has a bug that prevents the inclusion of any file with the substring passwd in the topic name.
This bug is caused by the piece of code below (
TWikiDotPm/handleIncludeFile)
sub handleIncludeFile
{
my( $theAttributes, $theTopic, $theWeb, $verbatim, @theProcessedTopics ) = @_;
my $incfile = extractNameValuePair( $theAttributes );
my $pattern = extractNameValuePair( $theAttributes, "pattern" );
if( $incfile =~ /^http\:/ ) {
# include web page
return handleIncludeUrl( $incfile, $pattern );
}
# CrisBailiff, PeterThoeny 12 Jun 2000: Add security
$incfile =~ s/$securityFilter//go; # zap anything suspicious
$incfile =~ s/passwd//goi; # filter out passwd filename
Test case
About to try including
PasswdCgiScript. You get the contents of the topic
CgiScript in its place.
Environment
--
MartinCleaver - 24 Jun 2002
Follow up
Fix record
This is a security feature to prevent the include of a
.htpasswd with a relative path starting from
$dataDir.
Fix: Relaxed the rule to not filter out the string if
$doSecureInclude = "1" in
TWiki.cfg (which is the default)
In
TWikiAlphaRelease and TWiki.org.
--
PeterThoeny - 17 Jul 2002
Would it not be better to filter out all .* files, to include .htaccess, .htpasswd, etc as is the norm for hiding files (in *nix anyway!) with a regex such as
$incfile =~ s/(^|\/)\./$1/g;
--
RobNorman - 25 Jul 2002
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.