• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
• Use
Item7848 for generic doc work for TWiki-6.1.1. Use Item7851 for doc work on extensions that are not part of a release. More... Close • Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
• Does this site look broken?. Use the LitterTray web for test cases.
Item5798: urlHost field initialized too late in TWiki::new
Item Form Data
| AppliesTo: | Component: | Priority: | CurrentState: | WaitingFor: | TargetRelease | ReleasedIn |
|---|---|---|---|---|---|---|
| Engine | Normal | Closed | patch | 4.2.1, 5.0.0 |
Edit Form Data
Detail
I was testing if TWiki was robust in respect to a potential security risk: when we access, for exmaple, http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs?topic=http://www.google.com
, TWiki tries to redirect. But it check if the target URL is listed on - 21 Jul 2008
After the commit, I get this error:
- 21 Jul 2008
At TWiki.pm:1345 we can see:
- 21 Jul 2008
I think that an exception could be "too much power for a little problem". I want to work on architecture and will come back to this that time. By now, a fast fix is to check (in - 22 Jul 2008
Cleaned "WaitingFor" field.
-- TWiki:Main.GilmarSantosJr - 10 Aug 2008
, TWiki tries to redirect. But it check if the target URL is listed on TWiki::cfg{PermittedRedirectHosts} and denies action if not.
The point is: when redirect attempt happens, it calls TWiki::redirect. When the action is denied, TWiki::getScriptUrl is called. This method depends on urlHost field if an absolute URL is requested (like TWiki::getScriptUrl does). But urlHost initialization happens after redirect attempt! So, if DEBUG is on, we get a "Software Error" message from webserver.
The solution is trivial: initialize urlHost field earlier, since it depends only on TWiki::Request (or CGI, in case of 4.2). Both exists since the beginning of TWiki::new.
-- TWiki:Main/GilmarSantosJr - 21 Jul 2008
After the commit, I get this error:
Can't call method "getPreferencesValue" on an undefined value at /home/twiki4/twikisvn/core/lib/TWiki.pm line 1009.
at /home/twiki4/twikisvn/core/lib/TWiki.pm line 1009
TWiki::getSkin('TWiki=HASH(0x9ad9b80)') called at /home/twiki4/twikisvn/core/lib/TWiki/UI/Oops.pm line 108
TWiki::UI::Oops::oops('TWiki=HASH(0x9ad9b80)', '', 'undef', 'TWiki::Request=HASH(0x9df138c)', 0) called at /home/twiki4/twikisvn/core/lib/TWiki/UI/Oops.pm line 55
TWiki::UI::Oops::oops_cgi('TWiki=HASH(0x9ad9b80)') called at /home/twiki4/twikisvn/core/lib/TWiki/UI.pm line 174
TWiki::UI::__ANON__() called at /home/twiki4/twikisvn/core/lib/CPAN/lib//Error.pm line 379
eval {...} called at /home/twiki4/twikisvn/core/lib/CPAN/lib//Error.pm line 371
Error::subs::try('CODE(0x9ab9748)', 'HASH(0xa1fb728)') called at /home/twiki4/twikisvn/core/lib/TWiki/UI.pm line 236
TWiki::UI::execute('TWiki::Request=HASH(0x9df138c)', 'CODE(0x9e5b7bc)', 'oops', 1) called at /home/twiki4/twikisvn/core/lib/TWiki/UI.pm line 125
TWiki::UI::handleRequest('TWiki::Request=HASH(0x9df138c)') called at /home/twiki4/twikisvn/core/lib/TWiki/Engine/CGI.pm line 48
TWiki::Engine::CGI::run('TWiki::Engine::CGI=HASH(0x9d1e1b4)') called
Still analyzing.
-- TWiki:Main.GilmarSantosJr - 21 Jul 2008
At TWiki.pm:1345 we can see:
if( $topic =~ m#^$regex{linkProtocolPattern}://#o &&
$this->{request} ) {
# redirect to URI
$this->{webName} = '';
$this->redirect( $topic );
return $this;
}
Before TSA merge, this code printed redirect headers and exit. In the new way it set redirect headers and return. On the normal flow of execution, the object returned is used (but it isn't totally initialized) and causes the error. If I comment the return, then TWiki searches for a topic named as the parameter value (no redirects) and causes an error.
I think that the solution to this is have TWiki::Response::redirect to raise an exception and the handler should finalize cleanly (See Item5729) and redirect.
-- TWiki:Main.GilmarSantosJr - 21 Jul 2008
I think that an exception could be "too much power for a little problem". I want to work on architecture and will come back to this that time. By now, a fast fix is to check (in TWiki::UI::execute) if $session->{response}->status() is a redirect (3xx). If not, process normally. If yes, jump directly to finalization phase (send response to client).
-- TWiki:Main.GilmarSantosJr - 22 Jul 2008
Cleaned "WaitingFor" field.
-- TWiki:Main.GilmarSantosJr - 10 Aug 2008
| ItemTemplate | |
|---|---|
| Summary | urlHost field initialized too late in TWiki::new |
| ReportedBy |
TWiki:Main.GilmarSantosJr
|
| Codebase | 4.2.0, 4.2.1, ~twiki4 |
| SVN Range | TWiki-5.0.0, Sun, 20 Jul 2008, build 17080 |
| AppliesTo | Engine |
| Component | |
| Priority | Normal |
| CurrentState | Closed |
| WaitingFor | |
| Checkins |
TWikirev:17093 TWikirev:17094 TWikirev:17104
|
| TargetRelease | patch |
| ReleasedIn | 4.2.1, 5.0.0 |
Topic revision: r12 - 2008-08-10 - GilmarSantosJr
Site map
Bugs web
Create New Report
Index
Search
Detailed Items Query
Changes
100
Notifications
RSS Feed
Statistics
Preferences
Bugs 
Items by urgency
My Reports
Recently Closed
Extensions
By Status 
Waiting for Feedback
Confirmed
Being Worked On
Waiting for Release
No Action Required
Lima 
Fixes for Rel.Notes
Create Feature Request
Account 
Copyright © 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback