• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item5798: urlHost field initialized too late in TWiki::new

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Normal Closed   patch 4.2.1, 5.0.0

Edit Form Data

Reported By:
Applies To:
Current State:
Waiting For:
Target Release:
Released In:


I was testing if TWiki was robust in respect to a potential security risk: when we access, for exmaple, http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs?topic=http://www.google.com, TWiki tries to redirect. But it check if the target URL is listed on TWiki::cfg{PermittedRedirectHosts} and denies action if not.

The point is: when redirect attempt happens, it calls TWiki::redirect. When the action is denied, TWiki::getScriptUrl is called. This method depends on urlHost field if an absolute URL is requested (like TWiki::getScriptUrl does). But urlHost initialization happens after redirect attempt! So, if DEBUG is on, we get a "Software Error" message from webserver.

The solution is trivial: initialize urlHost field earlier, since it depends only on TWiki::Request (or CGI, in case of 4.2). Both exists since the beginning of TWiki::new.

-- TWiki:Main/GilmarSantosJr - 21 Jul 2008

After the commit, I get this error:

Can't call method "getPreferencesValue" on an undefined value at /home/twiki4/twikisvn/core/lib/TWiki.pm line 1009.
 at /home/twiki4/twikisvn/core/lib/TWiki.pm line 1009
   TWiki::getSkin('TWiki=HASH(0x9ad9b80)') called at /home/twiki4/twikisvn/core/lib/TWiki/UI/Oops.pm line 108
   TWiki::UI::Oops::oops('TWiki=HASH(0x9ad9b80)', '', 'undef', 'TWiki::Request=HASH(0x9df138c)', 0) called at /home/twiki4/twikisvn/core/lib/TWiki/UI/Oops.pm line 55
   TWiki::UI::Oops::oops_cgi('TWiki=HASH(0x9ad9b80)') called at /home/twiki4/twikisvn/core/lib/TWiki/UI.pm line 174
   TWiki::UI::__ANON__() called at /home/twiki4/twikisvn/core/lib/CPAN/lib//Error.pm line 379
   eval {...} called at /home/twiki4/twikisvn/core/lib/CPAN/lib//Error.pm line 371
   Error::subs::try('CODE(0x9ab9748)', 'HASH(0xa1fb728)') called at /home/twiki4/twikisvn/core/lib/TWiki/UI.pm line 236
   TWiki::UI::execute('TWiki::Request=HASH(0x9df138c)', 'CODE(0x9e5b7bc)', 'oops', 1) called at /home/twiki4/twikisvn/core/lib/TWiki/UI.pm line 125
   TWiki::UI::handleRequest('TWiki::Request=HASH(0x9df138c)') called at /home/twiki4/twikisvn/core/lib/TWiki/Engine/CGI.pm line 48
   TWiki::Engine::CGI::run('TWiki::Engine::CGI=HASH(0x9d1e1b4)') called

Still analyzing.

-- TWiki:Main.GilmarSantosJr - 21 Jul 2008

At TWiki.pm:1345 we can see:

if( $topic =~ m#^$regex{linkProtocolPattern}://#o &&
            $this->{request} ) {
            # redirect to URI
            $this->{webName} = '';
            $this->redirect( $topic );
            return $this;

Before TSA merge, this code printed redirect headers and exit. In the new way it set redirect headers and return. On the normal flow of execution, the object returned is used (but it isn't totally initialized) and causes the error. If I comment the return, then TWiki searches for a topic named as the parameter value (no redirects) and causes an error.

I think that the solution to this is have TWiki::Response::redirect to raise an exception and the handler should finalize cleanly (See Item5729) and redirect.

-- TWiki:Main.GilmarSantosJr - 21 Jul 2008

I think that an exception could be "too much power for a little problem". I want to work on architecture and will come back to this that time. By now, a fast fix is to check (in TWiki::UI::execute) if $session->{response}->status() is a redirect (3xx). If not, process normally. If yes, jump directly to finalization phase (send response to client).

-- TWiki:Main.GilmarSantosJr - 22 Jul 2008

Cleaned "WaitingFor" field.

-- TWiki:Main.GilmarSantosJr - 10 Aug 2008

Summary urlHost field initialized too late in TWiki::new
ReportedBy TWiki:Main.GilmarSantosJr
Codebase 4.2.0, 4.2.1, ~twiki4
SVN Range TWiki-5.0.0, Sun, 20 Jul 2008, build 17080
AppliesTo Engine

Priority Normal
CurrentState Closed

Checkins TWikirev:17093 TWikirev:17094 TWikirev:17104
TargetRelease patch
ReleasedIn 4.2.1, 5.0.0
Edit | Attach | Watch | Print version | History: r12 < r11 < r10 < r9 < r8 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r12 - 2008-08-10 - GilmarSantosJr
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback