lately I have discovered a major problem in TWiki, which allows a
person with editing rights to make changes to a topic which are hard
or maybe even impossible to revert inside TWiki.
If you add the following lines inside a topic nearly all links to edit
or change it are broken:
<!--
* Set TOPIC=<Some other name>
-->
I have changed the topic if the site "HijackTopicVariable" to "SandBoxBroken"
(
http://twiki.org/cgi-bin/view/Sandbox/HijackTopicVariable)
and now it is not possible to change the page anymore.
I have discovered this bug while searching for a way to change the
title of the page (e.g. in the breadcrump menu) to some more human
readable.
-- Boris von Loesch - 30 Mar 2007 - via e-mail to twiki-security mailing list
This applies since TWiki 4. Any internal variable can be overloaded, which is flexible and a curse at the same time.
We possibly need a variable that defines the final settings, similar to the FINALPREFERENCES?
--
TWiki:Main/PeterThoeny - 30 Mar 2007
ah, this'll be good to fix :/
as its from the
SESSION_TAGS
hash
$this->{SESSION_TAGS}{TOPIC} = $topic;
$this->{SESSION_TAGS}{WEB} = $web;
which we should see if we can remove, and replace with (maybe) SESSION prefs that are FINALIZED as peter points out?
--
TWiki:Main.SvenDowideit - 07 Apr 2007
Yes; might get to delete some more code at the same time
I introduced the SESSION_TAGS to simplify (and understand) %INCLUDE, which needs to push new values. However Prefs now supports this (using mark and reset) so this hash can probably be retired.
--
CC - 15 Apr 2007
Not the major code refactor fix proposed here but then again noone did anything since April 2007
I decided to checkin a simple fix cures the problem so there is one less thing for an admin to worry about
--
TWiki:Main.KennethLavrsen - 30 Jul 2008
I'm re-opening this because the "simple fix" is a hack, and doesn't attempt to address the core problem.
TWiki is highly flexible, and any built-in can be overridden - that's a key feature. How is overriding TOPIC or WEB any worse than overriding anything else? (for example, IF or SEARCH)
--
CrawfordCurrie - 30 Jul 2008
We discussed this this morning.
We now agree that TOPIC and WEB (and possibly others) need to be protected. I will tonight (30 Jul 2008) verify that the two can be finalized in
TWikiPrefs. If so I will will change from hack to finalize solution.
--
TWiki:Main.KennethLavrsen - 30 Jul 2008
Safer fix checked in. Confirmed that it works.
--
TWiki:Main.KennethLavrsen - 30 Jul 2008