• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item6186: Review code for robustness and security

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Urgent Closed   patch 4.3.0

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

We will soon release TWiki 4.3.0. The code base is already very stable, nevertheless it isgood practice to review the code for robustness and security. Setting this to "urgent" so that it gets some attention.

-- TWiki:Main/PeterThoeny - 17 Feb 2009

TWiki:Main/MarcSchoenefeld and TWiki:Main/SteveMilner of Red Hat reported an XSS issue on any TWiki page with this URL parameter example:

?tag=%0Dsecurity;by=;tag=~%27%20onmouseover=script:alert(1)%20%27

Hover the mouse of the "printable view" link, a JS popup will be shown.

They suggested this fix:

--- viewtopicactionbuttons.tmpl   (revision 17826)
+++ viewtopicactionbuttons.tmpl   (working copy)
@@ -18,7 +18,7 @@
 
 %TMPL:DEF{"action_printable"}%%TMPL:P{"printable"}%%TMPL:P{"sep"}%%TMPL:END%
 
-%TMPL:DEF{"printable"}%<span><a href='%SCRIPTURLPATH{"view"}%/%WEB%/%TOPIC%?cover=print%QUERYPARAMSTRING%%REVARG%' rel='nofollow' %MAKETEXT{"title='Printable version of this topic' accesskey='p'>&Print version"}%</a></span>%TMPL:END%
+%TMPL:DEF{"printable"}%<span><a href='%SCRIPTURLPATH{"view"}%/%WEB%/%TOPIC%?cover=print%ENCODE{%QUERYPARAMSTRING%}%%REVARG%' rel='nofollow' %MAKETEXT{"title='Printable version of this topic' accesskey='p'>&Print version"}%</a></span>%TMPL:END%
 
 %TMPL:DEF{"activatable_printable"}%%TMPL:P{"printable"}%%TMPL:END%

Thank you Marc and Steve!

-- TWiki:Main.PeterThoeny - 23 Feb 2009

TWikirev:17838 and TWikirev:17839 - I added a safe mode to VarENCODE and VarURLPARAM. Sub URLPARAM calls _encode to avoid duplicated code for better maintenance. Doc and unit tests pending.

-- TWiki:Main.PeterThoeny - 23 Feb 2009

Used http://code.google.com/p/ratproxy/ for a few days on latest test instance on my laptop-did not find any thing odd.

-- TWiki:Main.SopanShewale - 26 Mar 2009

ItemTemplate
Summary Review code for robustness and security
ReportedBy TWiki:Main.PeterThoeny
Codebase 4.2.4, ~twiki4
SVN Range TWiki-5.0.0, Mon, 19 Jan 2009, build 17786
AppliesTo Engine
Component

Priority Urgent
CurrentState Closed
WaitingFor

Checkins TWikirev:17834 TWikirev:17835 TWikirev:17836 TWikirev:17837 TWikirev:17838 TWikirev:17839 TWikirev:17840 TWikirev:17841
TargetRelease patch
ReleasedIn 4.3.0
Edit | Attach | Watch | Print version | History: r16 < r15 < r14 < r13 < r12 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r16 - 2009-04-08 - PeterThoeny
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback