• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Please take a look at: http://twiki.org/cgi-bin/view/Support/TWikiVer4x0x4FileAttachmentProblem

Crawford suggested raising the bug so I am doing it.

There are three things which IMHO should be adressed:

  • making sure that the script correctly sets RCS settings (e.g. ciCmd) in LocalSite.cfg file - in our case we did not touch the original Cairo settings and anyhow we ended up with wrong (not compatible with Dakar) settings after performing the migration. There should be some statement in TWiki upgrade guide, mentioning that RCS settings has been changes and now special flags %U, %D, etc. are used. So that people after migration take a look on their settings.
    • Can you (or anyone else) suggest where, and what it should say?CC
    • I see two possible places: TWikiUpgradeTo04x00x00 or TWikiUpgradeGuide. In the secion starting with "There are a few points worth noting" of the latter topic, one could add: "Please observe that Twiki 4.0.4 uses different security (sandbox) model than Cairo with regard to handling of RCS files, therefore RCS related settings (e.g. ciCmd) in TWiki configuration file (now LocalSite.cfg, before TWiki.cfg) should be different. Now these settings should contain special flags (%U, %D), which let TWiki use RCS commands without causing security violations, which would lead to inability to version files. There were reported issues, where upgrade script did not set these setting correctly automatically." -- WojciechSeliga - 01 Sep 2006
  • security of using suggested %U flag with comment (-m option to ciCmd). Won't it allow malicious users to upload files with some forged comment containing shell operators (e.g. | >) which in turn would allow them to run something on the server side?
    • On most platforms, no, because safe pipes are used for execution. On Windows servers, depending on how they are set up, yes. CC
  • error handling: 4.0.4 silently accepts bad RCS settings (untainted variables) and just does nothing (or even worse: it effectively switches off versioning and overwrites existing files whenever anybody upload something new). I think that the exception caught in RcsWrap.pm should somehow be propagated to the user
    • Agreed. Reverse engineering error handling onto the store is an ongoing nightmare. CC


TWiki upgrade script is being deprecated, discarding this.

(Decision at TWiki:Codev.EdinburghReleaseMeeting2007x01x08).

-- SP

ItemTemplate
Summary RCS problems after an upgrade from Cairo to Dakar 4.0.4 using UpgradeTwiki script
ReportedBy TWiki:Main.WojciechSeliga
Codebase 4.0.4
SVN Range

AppliesTo Engine
Component

Priority Normal
CurrentState No Action Required
WaitingFor

Checkins

TargetRelease n/a
Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r5 - 2007-01-14 - SteffenPoulsen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback