Foswiki on GitHub is open for business! Next release meeting: Monday September 29, 1300Z

Item10564: using : in an INCLUDE will crash your foswiki

Priority: CurrentState: AppliesTo: Component: WaitingFor:
Urgent Closed Engine INCLUDE  
for a valid example, the following will give you a stack trace / 500

%INCLUDE{scp://quad7:~sven/yeah}%

similarly, a simple typo will do the trick too
%INCLUDE{httpd://quad7:~sven/yeah}%

additionally, this makes me wonder if we have a formal declaration and test to ensure no-one ever tries to use a ':' in the validWikiWord or validWebName regex's

set to urgent to Kenneth sees it and can judge

-- SvenDowideit - 29 Mar 2011

Must we simple to fix so let us fix this for 1.1.3

-- KennethLavrsen - 29 Mar 2011

The simple fix is to comment out the "die" statement. The code falls through and issues a Topic Not Found warning for the complete string including the bogus handler. I've tested that and it works fine - a one-line fix.

A bit better might be to add a Warning message - unsupported include Handler "httpd" - but that violates the string freeze. Is this fix worth adding a string to the release?

-- GeorgeClark - 29 Mar 2011

Fixed for 1.1.3, we should improve on this for 1.1.4. - Verify that the include-handler exists in the IncludeHandlers directory before blindly issuing the eval. And then return a more meaningful message listing the available handlers.

-- GeorgeClark - 29 Mar 2011

See Item10569

-- GeorgeClark - 29 Mar 2011
 

ItemTemplate edit

Summary using : in an INCLUDE will crash your foswiki
ReportedBy SvenDowideit
Codebase 1.1.3 beta1, trunk
SVN Range
AppliesTo Engine
Component INCLUDE
Priority Urgent
CurrentState Closed
WaitingFor
Checkins Foswikirev:11267 Foswikirev:11268
TargetRelease patch
ReleasedIn 1.1.3
Topic revision: r6 - 16 Apr 2011, KennethLavrsen
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License