• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item3722: Private information exposed in relative URLs

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Extension PublishContrib Urgent Closed   n/a  

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

Using version 12961 (22 Feb 2007) the relative URLs generated by a %TOC% command include all the info entered in the Publish Form including the exclude lists and the ftp password, a potentially serious breach of security. The table of contents links on http://dingo.sbs.arizona.edu/~slavine/Courses/IssuesandMethodsSyllabus.html provide an example as of 5 March 2007. The Courses web from a private TWiki is published there using parameters you can see in the URLs. The Examinations link on that page is
http://dingo.sbs.arizona.edu/~slavine/Courses/IssuesandMethodsSyllabus.html?web=Courses;inclusions=*;exclusions=*ResponsePaper*%2cWebAtom%2cWebChanges%2cWebIndex%2cWebLeftBar%2cWebNotify%2cWebPreferences%2cWebRss%2cWebSearch*%2cWebStatistics%2c*AnnieS*%2c*Zamzow*%2c*GlicK*%2c*DanielS*%2c*ElizabethPhillips*%2c*HelenHabermann*%2c*HelenFields*%2c*HelenResponse*%2cHelpIForgotToCopyRussell%2cHowtoCreateaTopic%2c*IanEvans*%2cInLine%2c*KevinResponse*%2c*KevinV*%2cLaTeX%2cMacGyver%2cMcClane%2cMoronDefining%2c*NathanB*%2cSeeNote%2c*TheresaLopez*%2cUsefulSymbols%2cDavidGlick*%2cIansFields;filter=;skin=pattern;format=;history=PublishContribHistory;destinationftpserver=;destinationftppath=;destinationftpusername=;destinationftppassword=;googlefile=;defaultpage=;relativeurl=#Examinations

Is that a general problem, or is it something peculiar to my installation (Cygwin)? If it is specific, I'll provide further data.

I marked this Normal priority, but perhaps it should be upgraded to urgent, since it will expose passwords.

-- TWiki:Main/ShaughanLavine - 06 Mar 2007

Yes urgent

-- TWiki:Main.KennethLavrsen - 06 Mar 2007

Nasty. I suspect this is actually a core bug, rather than a publishing bug, as nothing changed recently in the contrib that would affect this.

-- TWiki:Main.CrawfordCurrie - 06 Mar 2007

Yes, the "bug" is in the core, introduced by the fix to Item2453. However I think this fix is valid and the Contrib has to be modified to work around it by stripping query params from any URLs it processes.

-- TWiki:Main.CrawfordCurrie - 06 Mar 2007

OK, fixed and uploaded. Note that there is only a leak of secure information if a page that contains a %TOC% is published to FTP. Any other publish route is fine. i strongly suspect that the PublishWebPlugin will have the same problem.

CC

ItemTemplate
Summary Private information exposed in relative URLs
ReportedBy TWiki:Main.ShaughanLavine
Codebase 4.1.1
SVN Range TWiki-4.1.1, Mon, 05 Feb 2007, build 12770
AppliesTo Extension
Component PublishContrib
Priority Urgent
CurrentState Closed
WaitingFor

Checkins TWikirev:13063 TWikirev:13064
TargetRelease n/a
ReleasedIn

Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r6 - 2007-03-06 - CrawfordCurrie
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback