• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item6881: User dir installation broken with URL sanitization if dir contains a ~ tilde

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Normal Closed   patch 5.1.2

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

I'm in the process of upgrading a TWiki installation to the latest 5.1.1 version. This time, I am wanting to install as a normal user to avoid requiring root access for changes to the TWiki configurations. I've been able to get this to work using Apache's <UserDir> and suEXEC facilities. I am unable to login and edit pages since the "~" in the URL gets removed. I believe this is caused by Item6582 "Sanitize URL parameters - CVE-2010-3841" as it works if I add "~" to the RE in TWiki/LoginManager/TemplateLogin.pm: 
# Item6673: Cleanup origurl parameter
   $origurl  =~ s/[^a-zA-Z0-9_\-\.\:\/\?\;\&%RED%~%ENDCOLOR%]//g if( $origurl );

Here is the URL for the login page that is shown when clicking Edit with "~twiki" as the user directory. 

http://192.168.1.2:8080/~twiki/cgi-bin/login/Main/WebHome?t=1338999966;nowysiwyg=0;origurl=/~twiki/cgi-bin/edit/Main/WebHome?t=1338999966;nowysiwyg=0

And the URL for the edit redirect after logging with the "~" removed: 

http://192.168.1.2:8080/twiki/cgi-bin/edit/Main/WebHome?twiki_redirect_cache=e07935084e08a25650d3599061faa79a

I have not yet encountered any other situations where the same issue occurs, but my testing to date has been limited to verifying the new installation before doing a backup/restore from the old TWiki.

-- TWiki:Main/JosephZamzow - 2012-06-06

Thank you Joseph! Patch looks good, and no security issue.

Fix is now in SVN trunk and 5.1 branch.

Patch: 

--- lib/TWiki/LoginManager/TemplateLogin.pm.old
+++ lib/TWiki/LoginManager/TemplateLogin.pm
@@ -140,7 +140,7 @@
     my $remember  = $query->param( 'remember' );

     # Item6673: Cleanup origurl parameter
-    $origurl   =~ s/[^a-zA-Z0-9_\-\.\:\/\?\;\&]//g if( $origurl );
+    $origurl   =~ s/[^a-zA-Z0-9_\-\.\:\/\?\;\&\~]//g if( $origurl );

     # Eat these so there's no risk of accidental passthrough
     $query->delete( 'origurl', 'username', 'password' );

-- TWiki:Main.PeterThoeny - 2012-06-07

Here's an apache hack to make the tildes work, at least until the next release... 

 RedirectMatch /user(.*)$ http://webserver/~user$1

-- TWiki:Main.JasonBrooks - 2012-06-20

ItemTemplate
Summary User dir installation broken with URL sanitization if dir contains a ~ tilde
ReportedBy TWiki:Main.JosephZamzow
Codebase ~twiki4, 5.1.1
SVN Range

AppliesTo Engine
Component

Priority Normal
CurrentState Closed
WaitingFor

Checkins TWikirev:22972 TWikirev:22973
TargetRelease patch
ReleasedIn 5.1.2
Edit | Attach | Watch | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r8 - 2012-10-07 - PeterThoeny
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback