• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close • Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
I've been asked to make this a separate report in Item893, so here you are:
Often I am running my laptop "offline", i.e. apache runs on localhost without external net.
Since the inclusion of IncludeTopicsAndWebPages's content in TWikiVariables,
reading TWikiVariables when "offline" gives me an "attempted hack":
contains a link to an external URL
Agreed. At least the error is detected and not just ignored! The error handling must be improved. Do you have a stack trace? (from error_log) CC Aye. Is attached. 300-column-lines make difficult reading... -- TWiki:Main.HaraldJoerg
Moved from Item893:
TWiki should not fail with a scary "attempted hack" error in a production environment.
-- PTh
On the contrary; it must fail. The alternatives (it ignores the error, and ploughs on, or it doesn't tell the user but just doesn't complete the operation) are too horrifying to contemplate.
The wording of the message was chosen to reflect the concerns of the Security community, and indicate that TWiki is not only detecting errors, but is checking for attempted hacks as well. In the light of recent experiences I thought this was good PR.
CC
Crawford, clarification: It should fail, but with a graceful text shown to the user (by replacing %INCLUDE with error text, thus render the remaining part of the topics as usual). Don't make me think.
-- PTh
I agree with PTh. Most other webapp development environments show an inline error, sometimes in red. I never want to see an attempted hack error in a production environment, because that means the security team gets called. 3 or more of these in a week, esp. during trial of TWiki for a corporate environment, and I can guarantee the entire effort would be cancelled.
The good news: it no longer mentions an "attempted hack":
thanks! applied SVN:7639
-- WN
TWiki detected an error or attempted hack - please check your TWiki logs and webserver logs for more information. Bad arg length for Socket::pack_sockaddr_in, length is 0, should be 4The reason: TWiki:TWikiVariablesAtoM
contains a link to an external URL
Tokyo: %INCLUDE{"http://TWiki.org/cgi-bin/xtra/tzdate?tz=Asia/Tokyo" pattern="^.*<\!--tzdate:date-->(.*?)<\!--/tzdate:date-->.*"}%
...which croaks due to the suboptimal error handling in TWiki::Net::getUrl. So I'm tempted to re-prioritize to "Normal" because the doc is currently in a very bad place (I often consult TWikiVariables, but never needed IncludeTopicsAndWebPages).
PTh asked to classify this as a requirement, writing "TWiki should not fail with a scary "attempted hack" error in a production environment." This is correct, but though I think I can be productive when offline, I wouldn't call this a production environment. Since, however, the same problem will occur when a firewall or authenticated proxy prevents TWiki from accessing the outside world, let's compromise on "Urgent".
Agreed. At least the error is detected and not just ignored! The error handling must be improved. Do you have a stack trace? (from error_log) CC Aye. Is attached. 300-column-lines make difficult reading... -- TWiki:Main.HaraldJoerg
Moved from Item893:
TWiki should not fail with a scary "attempted hack" error in a production environment.
-- PTh
On the contrary; it must fail. The alternatives (it ignores the error, and ploughs on, or it doesn't tell the user but just doesn't complete the operation) are too horrifying to contemplate.
The wording of the message was chosen to reflect the concerns of the Security community, and indicate that TWiki is not only detecting errors, but is checking for attempted hacks as well. In the light of recent experiences I thought this was good PR.
CC
Crawford, clarification: It should fail, but with a graceful text shown to the user (by replacing %INCLUDE with error text, thus render the remaining part of the topics as usual). Don't make me think.
-- PTh
I agree with PTh. Most other webapp development environments show an inline error, sometimes in red. I never want to see an attempted hack error in a production environment, because that means the security team gets called. 3 or more of these in a week, esp. during trial of TWiki for a corporate environment, and I can guarantee the entire effort would be cancelled.
- I second, tripple, quadruple this concern! -- PTh
INCLUDE is normally expected to print an error if it can't find a topic (which, as you know, can be supressed using warn="off") so, i would expect the same to happen for an external include.
-- WN
OK, OK, you win. I even softened the omigod message to remove the risk of jackbooted security guards marching in every time you see it.
I can't test this properl without disconnecting from the newtork. Can someone give it a try on an offline machine please? If it works, you can close this report.
SVN 7636
CC
The someone with an offline machine could be me again
The good news: it no longer mentions an "attempted hack":
TWiki detected an internal error - please check your TWiki logs and webserver logs for more information. Can't call method "with" without a package or object referenceThe bad news, obviously: It doesn't work. Here is the patch:
Index: lib/TWiki.pm =================================================================== --- lib/TWiki.pm (Revision 7638) +++ lib/TWiki.pm (Arbeitskopie) @@ -43,6 +43,7 @@ use strict; use Assert; +use Error qw( :try ); require 5.005; # For regex objects and internationalisationNow I get, within IncludeTopicsAndWebPages
Failed to include URL http://TWiki.org/cgi-bin/xtra/tzdate?tz=Asia/TokyoSo, status is "New" again. -- TWiki:Main.HaraldJoerg
thanks! applied SVN:7639
-- WN
| ItemTemplate | |
|---|---|
| Summary | INCLUDE with external urls gives attempted hack when offline |
| ReportedBy |
TWiki:Main.HaraldJoerg
|
| Codebase | |
| AppliesTo | Engine |
| Component | |
| Priority | Urgent |
| CurrentState | Closed |
| WaitingFor | |
| Checkins | 7636 7639 |
| I | Attachment | History | Action | Size | Date | Who | Comment |
|---|---|---|---|---|---|---|---|
 errorlog |
item1015.errorlog | r1 | manage | 4.3 K | 2005-11-22 - 21:18 | HaraldJoerg | 21 lines of stacktrace from Apache's error_log |
Topic revision: r12 - 2005-11-24 - WillNorris
Site map
Bugs web
Create New Report
Index
Search
Detailed Items Query
Changes
100
Notifications
RSS Feed
Statistics
Preferences
Bugs 
Items by urgency
My Reports
Recently Closed
Extensions
By Status 
Waiting for Feedback
Confirmed
Being Worked On
Waiting for Release
No Action Required
Lima 
Fixes for Rel.Notes
Create Feature Request
Account 
Copyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback