I'm in the process of upgrading a TWiki installation to the latest 5.1.1 version. This time, I am wanting to install as a normal user to avoid requiring root access for changes to the TWiki configurations. I've been able to get this to work using Apache's <UserDir> and suEXEC facilities. I am unable to login and edit pages since the "~" in the URL gets removed. I believe this is caused by Item6582 "Sanitize URL parameters - CVE-2010-3841" as it works if I add "~" to the RE in TWiki/LoginManager/TemplateLogin.pm:
# Item6673: Cleanup origurl parameter
$origurl =~ s/[^a-zA-Z0-9_\-\.\:\/\?\;\&%RED%~%ENDCOLOR%]//g if( $origurl );
Here is the URL for the login page that is shown when clicking Edit with "~twiki" as the user directory.
http://192.168.1.2:8080/~twiki/cgi-bin/login/Main/WebHome?t=1338999966;nowysiwyg=0;origurl=/~twiki/cgi-bin/edit/Main/WebHome?t=1338999966;nowysiwyg=0
And the URL for the edit redirect after logging with the "~" removed:
http://192.168.1.2:8080/twiki/cgi-bin/edit/Main/WebHome?twiki_redirect_cache=e07935084e08a25650d3599061faa79a
I have not yet encountered any other situations where the same issue occurs, but my testing to date has been limited to verifying the new installation before doing a backup/restore from the old TWiki.
--
TWiki:Main/JosephZamzow
- 2012-06-06
Thank you Joseph! Patch looks good, and no security issue.
Fix is now in SVN trunk and 5.1 branch.
Patch:
--- lib/TWiki/LoginManager/TemplateLogin.pm.old
+++ lib/TWiki/LoginManager/TemplateLogin.pm
@@ -140,7 +140,7 @@
my $remember = $query->param( 'remember' );
# Item6673: Cleanup origurl parameter
- $origurl =~ s/[^a-zA-Z0-9_\-\.\:\/\?\;\&]//g if( $origurl );
+ $origurl =~ s/[^a-zA-Z0-9_\-\.\:\/\?\;\&\~]//g if( $origurl );
# Eat these so there's no risk of accidental passthrough
$query->delete( 'origurl', 'username', 'password' );
--
TWiki:Main.PeterThoeny
- 2012-06-07
Here's an apache hack to make the tildes work, at least until the next release...
RedirectMatch /user(.*)$ http://webserver/~user$1
--
TWiki:Main.JasonBrooks
- 2012-06-20