Configure's regexp checker fails miserably if you give it a valid regexp containing a /. Simply enter '/x' in any checked REGEXP field.
Yes, it happens in real life - consider a match on an X509 certificate, where typical data is
/C=UK/O=Megalith/G=Fred
...
Bug is that it does an
eval "qr/$str/";
Shouldn't use delimiter at all; anything you pick is wrong somewhere. Do this 1 line change instead:
lib/TWiki/Configure/Checker.pm ~ line 239 in trunk:
# Check for a compilable RE
sub checkRE {
my ($this, $keys) = @_;
my $str;
eval '$str = $TWiki::cfg'.$keys;
return '' unless defined $str;
eval "'x' =~ \$str"; #<<<<<<<<
if ($@) {
return $this->ERROR(<<MESS);
Invalid regular expression: $@ <p />
See <a href=" [[http://www.perl.com/doc/manual/html/pod/perlre.html">perl.com</a][http://www.perl.com/doc/manual/html/pod/perlre.html">perl.com</a]]> for help with Perl regular expressions.
MESS
}
return '';
}
For now, I ship a custom work-around for especially vulnerable fields. That's a bad thing.
Urgent because valid user input produces false and hard to diagnose errors. E.g.
'/emailAddress=\w+\@example\.com'
produces:
Error: Invalid regular expression: Bareword found where operator expected at (eval 1394) line 1, near "qr//emailAddress"
--
TWiki:Main/TimotheLitt
- 2011-09-15
Thank you Timothe. This is now in SVN trunk and 5.1 branch. Could you please check if the fix is good?
--
TWiki:Main.PeterThoeny
- 2011-09-21
Yes, it's good.
While we're here, it might be good to check $@ after the first eval. Something like:
eval '$str = $TWiki::cfg'.$keys;
$@ and return $this->ERROR( "Bad item key $keys: $@" ); #<<<<++
return '' unless defined $str;
An eval without a check of $@ can produce odd behaviors that are really hard to track down ...
--
TWiki:Main.TimotheLitt
- 2011-09-21
I am closing this one because of today's TWiki-5.1.1 patch release. Please file a new report for the additional issue.
--
PeterThoeny - 2012-01-14