• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7700 for generic doc work for TWiki-6.0.2. Use View topic Item7703 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

With reference to Item1610, which I don't want to re-open as that particular bug was resolved, but the same problem is still present for me -- it's just moved!

The value of NameFilter is indeed properly encoded when displayed in the form (as described in Item1610). Unfortunately, it is not properly encoded when regurgitated on the confirmation page as a hidden field. So it still gets corrupted, as do any other fields containing embedded quotes etc.

<input type="hidden" name="{NameFilter}" value="(?-xism:[\s\*?~^\$@%`"'&;|<>\x00-\x1f])" />

This is despite the use of CGI::hidden to generate those fields, which ought to be encoding things, so I guess this is the same "bug in certain versions of CGI.pm" that caused the original problem. Nonetheless, it's exceptionally annoying, it means configure is unusable on (at least) many 1-2 year old stock RedHat systems as it always breaks the configuration. Is there a more general solution that can be applied to all the fields? What's the nature of the CGI.pm bug, eg would it work if you use $cgi->hidden() rather than CGI::hidden()?

On a broader note, I find the term "filter-in regex" misleading. This is surely a filter-out regex -- a blacklist. It's better security practice to use a whitelist rather than a blacklist, but I guess that's an enhancement request.


I fixed this in DEVELOP branch, so it should be in 4.1. Unfortunately I have no way of testing it, as all my installs use working versions of CGI, but I'm pretty sure I fixed it. My fix ought to port trivially to earlier revs, if someone wants to make a patch/hotfix (I don't have time).

Please raise your filter-in/filter-out issue in Codev. This is a bug report, not the right place for discussing design.

CC

4.1.0 released

KJL

ItemTemplate
Summary Configure script still corrupts {NameFilter} with (?-xism:
ReportedBy TWiki:Main.BenJWheeler
Codebase 4.0.4
SVN Range Wed, 12 Jul 2006 build 11001
AppliesTo Engine
Component

Priority Urgent
CurrentState Closed
WaitingFor

Checkins 11105
TargetRelease minor
Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r5 - 2007-01-16 - KennethLavrsen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback