• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item3824: Possible to hijack TOPIC or WEB variable making editing a topic with one of these defined impossible

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Normal Closed   patch 4.2.1

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

lately I have discovered a major problem in TWiki, which allows a person with editing rights to make changes to a topic which are hard or maybe even impossible to revert inside TWiki. If you add the following lines inside a topic nearly all links to edit or change it are broken:

<!--
   * Set TOPIC=<Some other name>
-->

I have changed the topic if the site "HijackTopicVariable" to "SandBoxBroken" (http://twiki.org/cgi-bin/view/Sandbox/HijackTopicVariable) and now it is not possible to change the page anymore.

I have discovered this bug while searching for a way to change the title of the page (e.g. in the breadcrump menu) to some more human readable.

-- Boris von Loesch - 30 Mar 2007 - via e-mail to twiki-security mailing list

This applies since TWiki 4. Any internal variable can be overloaded, which is flexible and a curse at the same time.

We possibly need a variable that defines the final settings, similar to the FINALPREFERENCES?

-- TWiki:Main/PeterThoeny - 30 Mar 2007

ah, this'll be good to fix :/

as its from the SESSION_TAGS hash

$this->{SESSION_TAGS}{TOPIC}   = $topic;
$this->{SESSION_TAGS}{WEB}     = $web;

which we should see if we can remove, and replace with (maybe) SESSION prefs that are FINALIZED as peter points out?

-- TWiki:Main.SvenDowideit - 07 Apr 2007

Yes; might get to delete some more code at the same time smile

I introduced the SESSION_TAGS to simplify (and understand) %INCLUDE, which needs to push new values. However Prefs now supports this (using mark and reset) so this hash can probably be retired.

-- CC - 15 Apr 2007

Not the major code refactor fix proposed here but then again noone did anything since April 2007

I decided to checkin a simple fix cures the problem so there is one less thing for an admin to worry about

-- TWiki:Main.KennethLavrsen - 30 Jul 2008

I'm re-opening this because the "simple fix" is a hack, and doesn't attempt to address the core problem.

TWiki is highly flexible, and any built-in can be overridden - that's a key feature. How is overriding TOPIC or WEB any worse than overriding anything else? (for example, IF or SEARCH)

-- CrawfordCurrie - 30 Jul 2008

We discussed this this morning.

We now agree that TOPIC and WEB (and possibly others) need to be protected. I will tonight (30 Jul 2008) verify that the two can be finalized in TWikiPrefs. If so I will will change from hack to finalize solution.

-- TWiki:Main.KennethLavrsen - 30 Jul 2008

Safer fix checked in. Confirmed that it works.

-- TWiki:Main.KennethLavrsen - 30 Jul 2008

ItemTemplate
Summary Possible to hijack TOPIC or WEB variable making editing a topic with one of these defined impossible
ReportedBy TWiki:Main.PeterThoeny
Codebase 4.1.2, ~twiki4
SVN Range TWiki-4.1.2, Mon, 26 Mar 2007, build 13227
AppliesTo Engine
Component

Priority Normal
CurrentState Closed
WaitingFor

Checkins TWikirev:17203 TWikirev:17204 TWikirev:17220 TWikirev:17221
TargetRelease patch
ReleasedIn 4.2.1
Edit | Attach | Watch | Print version | History: r15 < r14 < r13 < r12 < r11 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r15 - 2008-08-10 - GilmarSantosJr
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback