• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close • Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
In fixing Item2650, I noticed that from the form
The value where? The encoding/decoding of parameters in POSTs should be hidden entirely in CGI. If an encoding is leaking into the code, there may be a problem in CGI... CC I am not sure I understand the question... I had to explicitly put a check in the code to look for the encoded comma which does not seem to be good.... -- TW No, it doesn't sound good. Can you describe a testcase? I can't reproduce this.... CC Thomas, any chance of that testcase? Otherwise I'm going to have to close this, as i can't reproduce it. Thanks. CC No feedback for a year. No solving. No Action KJL
<form name="newtopic" action="%SCRIPTURLPATH{"edit"}%/%WEB%/">
<input type="hidden" name="formtemplate" value="TestForm" />
New topic name <input type="hidden" name="topic" value="FormInitXXXXXXXXXXX" />
<input type="hidden" name="OperatingSystem" value="OsMacOS,OsSolaris" />
<input type="submit" class="twikiSubmit" value="Create" />
</form>
the value of field OperatingSystem was OsMacOS%2COSSolaris. In lib/TWiki/Form.pm, we tend to look for " , ", not for %2C. I don't know why the %2C shows up in the field, but we might want to check whether there are areas that could bite us here.
In the fix discussed, I explicitly put a check for both the comma and %2C, but there are no other places in lib/TWiki/Form.pm where this is done.
The value where? The encoding/decoding of parameters in POSTs should be hidden entirely in CGI. If an encoding is leaking into the code, there may be a problem in CGI... CC I am not sure I understand the question... I had to explicitly put a check in the code to look for the encoded comma which does not seem to be good.... -- TW No, it doesn't sound good. Can you describe a testcase? I can't reproduce this.... CC Thomas, any chance of that testcase? Otherwise I'm going to have to close this, as i can't reproduce it. Thanks. CC No feedback for a year. No solving. No Action KJL
| ItemTemplate | |
|---|---|
| Summary | Examine Form.pm whether it is resilient to browser manipulations of url parameters |
| ReportedBy |
TWiki:Main.ThomasWeigert
|
| Codebase | ~twiki4 |
| SVN Range | TWiki-4.1.0, Sun, 14 Jan 2007, build 12536 |
| AppliesTo | Engine |
| Component | |
| Priority | Normal |
| CurrentState | No Action Required |
| WaitingFor |
TWiki:Main.ThomasWeigert
|
| Checkins | |
| TargetRelease | n/a |
| ReleasedIn | |
Topic revision: r9 - 2008-07-26 - KennethLavrsen
Site map
Bugs web
Create New Report
Index
Search
Detailed Items Query
Changes
100
Notifications
RSS Feed
Statistics
Preferences
Bugs 
Items by urgency
My Reports
Recently Closed
Extensions
By Status 
Waiting for Feedback
Confirmed
Being Worked On
Waiting for Release
No Action Required
Lima 
Fixes for Rel.Notes
Create Feature Request
Account 
Copyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback