• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item7570: INCLUDE{http://THIS_SERVER/cgi-bin/view/THIS_WEB/THIS_TOPIC} brings TWiki down

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Normal Closed   patch 6.0.2

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

%INCLUDE{http://THIS_SERVER/THIS_WEB/THIS_PAGE}% on a TWiki topic causes an infinite INCLUDE loop, which brings the TWiki server down when the topic is viewed.

TWiki::_includeUrl() needs to check if the specified URL may cause infinite loop.

Checking if the specified URL matches $this->getScriptUrl(1, 'view', $web, $topic) is not enough. Because:

  1. The TWiki server might be referred to by another name
  2. There might be alternative path to the topic -- e.g. /WEB/TOPIC is the canonical path but /cgi-bin/view/WEB/TOPIC works too
  3. Accessing /WEB means accessing WEB.WebHome, which needs to be taken into account

For 1, new configuration parameter {UrlHostRegex} is introduced. If it's defined, check if the specified URL matches {UrlHostRegex}. If {UrlHostRegex} is not defined, {DefaultUrlHost} is used instead.

If the current page is WebHome, check if the specified URL matches m:/$web\b:. Otherwise, check if the specified URL matches m:/$web[./]$topic\b.

If both the server name and web/topic match, the call to _includeUrl() is aborted.

-- TWiki:Main/HideyoImazu - 2014-10-07

How about using $TWiki::cfg{PermittedRedirectHostUrls} instead of a new config?

-- TWiki:Main.PeterThoeny - 2014-10-07

{UrlHostRegex} seems necessary for the following reasons.

Repurposing {PermittedRedirectHostUrls} (obviously for redirect) is convoluted (TWiki administrators would be puzzled) and doesn't work sometimes. There might be a case where redirect to a different server A is permitted and also some pages of the server A is included.

Maybe initially {PermittedRedirectHostUrls} was for its own host name aliases as the following sentence is on lib/TWiki.spec. But now it is not only for that.

If your host has aliases (such as both www.twiki.org and twiki.org, and some IP addresses) you need to list them to tell TWiki that redirecting to them is OK.
-- TWiki:Main.HideyoImazu - 2014-10-18

ItemTemplate
Summary INCLUDE{http://THIS_SERVER/cgi-bin/view/THIS_WEB/THIS_TOPIC} brings TWiki down
ReportedBy TWiki:Main.HideyoImazu
Codebase ~twiki4, 6.0.1
SVN Range TWiki-6.0.1-trunk, Mon, 29 Sep 2014, build 28107
AppliesTo Engine
Component

Priority Normal
CurrentState Closed
WaitingFor

Checkins TWikirev:28296 TWikirev:28297 TWikirev:28467 TWikirev:28468 TWikirev:28473 TWikirev:28474 TWikirev:28475 TWikirev:28476
TargetRelease patch
ReleasedIn 6.0.2
Edit | Attach | Watch | Print version | History: r20 < r19 < r18 < r17 < r16 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r20 - 2016-01-22 - PeterThoeny
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback