Item3486: Possible to create topics with unsupported characters

One of my users managed to inadvertantly create a page which started with '[' (by writing a link like [[[PageName][This is a page]], with 3 leading brackets instead of 2. Quite a surprise that TWiki went ahead and created the page with the leading bracket in its filename. Unfortunately any attempt to rename it within TWiki fails with an "Unmatched [ in regex" error at (at least) two locations: Render.pm line 1773, and Search.pm line 285.

Render.pm should be an easy fix; use quotemeta on the web and page names before making them into REs. Search.pm is less obvious because it must be in 'regex' search mode, otherwise quotemeta would have been used. I don't have time to look into this now, especially as I suspect there may be other cases where pagenames and web names are used in REs without being quoted.

---

I can confirm this this error is also in 4.1.0

You get regex failure the minute you hit "More action" link. And this seems like something that could happen often. I find many garbage filenames created at work. Now we know why.

Patch candidate

KJL

For 4.1.1 we choose the simple approach to prevent the bracket syntax from creating a new topic link with a bracket in it.

But it does not prevent creating these wrongly named topics. But it removes urgentcy

-- KJL

Elevating back to urgent. With the edit link I can violate any common sense in topic names. I was sure earlier versions had a filter that prevented illegal characters.

We need at least some common sense back.

-- KJL

Is the name filter not working? We need to be carful when fxing this bug so that we are not affecting I18N.

I changed the summary to reflect the change in scope.

-- PTh

Yes. We do not want to impose some English only rule and no limitation on special characters that are not necessary.

But right now you can create topics like [Hello -GoForIt My\ponyshow

We need as a minimum to enforce the first letter to be an Uppercase letter (any language so not [A-Z]) and we need to filter off certain characters. I would think that the upper case initial combined with similar filter as used for attachments would be a good spec.

But yes we need to define the spec first.

Note that the browser sends the special characters to TWiki URL encoded. Do we have a check today? And does work before or after URL decoding? Where is the file name checked when you create a topic. It must be both then you run edit and hit the save button that we need to check.

-- TWiki:Main.KennethLavrsen - 31 Jan 2007

Degrading to normal. This is not a release blocker for 4.1.1 patch release.

-- TWiki:Main.PeterThoeny - 03 Feb 2007

I can't reproduce this in MAIN, even creating a topic with meta in the name on disc.

Looks like squabs are filtered now. There are a couple of checkins associated with this bug that seem to be the fix. The checkins say "we should prevent this on the receiving side" but I have no idea what that means, and I can't reproduce any problem so I'm closing this.

CC