• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item6809: Configure regexp checker broken

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine Configure Urgent Closed   patch 5.1.1

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

Configure's regexp checker fails miserably if you give it a valid regexp containing a /. Simply enter '/x' in any checked REGEXP field.

Yes, it happens in real life - consider a match on an X509 certificate, where typical data is /C=UK/O=Megalith/G=Fred...

Bug is that it does an eval "qr/$str/";

Shouldn't use delimiter at all; anything you pick is wrong somewhere. Do this 1 line change instead:

lib/TWiki/Configure/Checker.pm ~ line 239 in trunk:

# Check for a compilable RE
sub checkRE {
    my ($this, $keys) = @_;
    my $str;
    eval '$str = $TWiki::cfg'.$keys;
    return '' unless defined $str;
    eval "'x' =~ \$str";                      #<<<<<<<< 
    if ($@) {
        return $this->ERROR(<<MESS);
Invalid regular expression: $@ <p />
See <a href=" [[http://www.perl.com/doc/manual/html/pod/perlre.html">perl.com</a][http://www.perl.com/doc/manual/html/pod/perlre.html">perl.com</a]]> for help with Perl regular expressions.
MESS
    }
    return '';
}

For now, I ship a custom work-around for especially vulnerable fields. That's a bad thing.

Urgent because valid user input produces false and hard to diagnose errors. E.g. '/emailAddress=\w+\@example\.com' produces:

Error: Invalid regular expression: Bareword found where operator expected at (eval 1394) line 1, near "qr//emailAddress"

-- TWiki:Main/TimotheLitt - 2011-09-15

Thank you Timothe. This is now in SVN trunk and 5.1 branch. Could you please check if the fix is good?

-- TWiki:Main.PeterThoeny - 2011-09-21

Yes, it's good.

While we're here, it might be good to check $@ after the first eval. Something like:

eval '$str = $TWiki::cfg'.$keys;
$@ and return $this->ERROR( "Bad item key $keys: $@" );  #<<<<++
return '' unless defined $str;

An eval without a check of $@ can produce odd behaviors that are really hard to track down ...

-- TWiki:Main.TimotheLitt - 2011-09-21

I am closing this one because of today's TWiki-5.1.1 patch release. Please file a new report for the additional issue.

-- PeterThoeny - 2012-01-14

ItemTemplate
Summary Configure regexp checker broken
ReportedBy TWiki:Main.TimotheLitt
Codebase ~twiki4, 5.1.0, 4.2.3
SVN Range TWiki-5.1.0, Mon, 12 Sep 2011, build 22279
AppliesTo Engine
Component Configure
Priority Urgent
CurrentState Closed
WaitingFor

Checkins TWikirev:22330 TWikirev:22331
TargetRelease patch
ReleasedIn 5.1.1
Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r7 - 2012-01-16 - GeorgeTrubisky
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback