Question

potential security risk with CommentPlugin: if you enter some text which the twiki `engine' typically expands, e.g., %INCLUDE{Main.WebHome}%, this text is effectively expanded, i.e., including the text of the other page...

this problem can easily be avoided, e.g., by rewriting every % into something like <nop>%<nop>.

I tested this out by including the following line in Comment.pm: if line 257 reads $output =~ s/%/<nop>%<nop>/go;, the include statement does not get expanded...

I believe this is a bug...

Environment

-- TWikiGuest - 27 Jan 2005

Answer

The comment plugin expands the same variables as are expanded on topic creation, and $INCLUDE isn't one of them. Is the version of commentplugin the one from the release?

-- CrawfordCurrie - 16 Feb 2005

yes it is the commentplugin version of the release... I describe the installation procedure on http://godot.be/installingTwiki (I use debian/ubuntu and redhat/fedora). If you enter in a box like this one something like %INCLUDE{WebIndex}%, this variable will be expanded due to the non-post-processing of the percent sign... This "issue" can easily be solved by adding a single line to twiki/lib/TWiki/Plugins/CommentPlugin:

.../twiki/lib/TWiki/Plugins/CommentPlugin$ diff -bruN Comment.pm~ Comment.pm
--- Comment.pm~ 2005-01-26 23:38:23.000000000 +0100
+++ Comment.pm  2005-01-27 01:29:28.000000000 +0100
@@ -254,6 +254,7 @@
     my @t = gmtime();
     my $now = sprintf( "%02d:%02d:%02d", $t[2], $t[1], $t[0] );
     $output =~ s/21:49:49/$now/go;
+    $output =~ s/%/<nop>%<nop>/go;
 
     my $bloody_hell = TWiki::Func::readTopicText( $web, $topic, undef, 1 );
     my $premeta = "";

cu & thanks for the very neat twiki features...

-- DannyDeCock - 25 Jun 2005

I just tested this at TestComment, it works as expected. I am wondering what makes INCLUDE expand in your environment.

-- PeterThoeny - 24 Dec 2006