• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item4753: /bin/twiki is experimental stuff that should not be in distribution

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Urgent Closed   minor 4.2.0

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

/bin/twiki is experimental stuff that should not be in distribution

Noone really test it.

It is not considered in any of the security setup

It could potentially be an open security bomb.

I strongly propose it is removed from the MANIFEST

If needed by some it should perhaps be in a Contrib

-- TWiki:Main/KennethLavrsen - 01 Oct 2007

This is the default Apache setup for Twiki (non template)

# When using Apache type login the following defines the TWiki scripts
# that makes Apache ask the browser to authenticate. It is correct that
# scripts such as view, resetpasswd & passwd are not authenticated.
# (un-comment to activate)
#<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|rest|.*auth).*">
#   require valid-user
#</FilesMatch> 

I have gotten the impression that the twiki script allows editing???

Who put that there unprotected?

-- TWiki:Main.KennethLavrsen - 01 Oct 2007

I have not managed to use the script to gain access without auth.

But it is a bit mysterious this script. The docu says "Single-script interface to the functionality of all the other scripts. Experimental, not for production use. Read the code if you want to know more"

Read the code!!! By God. You cannot write that in the distribution docs.

Either it gets documented and with proper protection in default apache configs or it goes out. We do not ship undocumented, untested experimental code.

-- TWiki:Main.KennethLavrsen - 01 Oct 2007

Kill it. It's a hole waiting to be opened.

-- TWiki:Main.CrawfordCurrie - 02 Oct 2007

Done.

Removed from MANIFEST

Removed from TWikiScripts where the horror "read the code" message was found.

This one should be moved to a contrib for the ones that like to experiment with this.

-- TWiki:Main.KennethLavrsen - 03 Oct 2007

Complete agree. See my first failed attempt in January, Item3429.

-- TWiki:Main.PeterThoeny - 07 Oct 2007

ItemTemplate
Summary /bin/twiki is experimental stuff that should not be in distribution
ReportedBy TWiki:Main.KennethLavrsen
Codebase ~twiki4
SVN Range TWiki-4.3.0, Sun, 30 Sep 2007, build 15107
AppliesTo Engine
Component

Priority Urgent
CurrentState Closed
WaitingFor

Checkins TWikirev:15144 TWikirev:15145
TargetRelease minor
ReleasedIn 4.2.0
Edit | Attach | Watch | Print version | History: r9 < r8 < r7 < r6 < r5 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r9 - 2008-01-22 - KennethLavrsen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback