New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists

Item10564: using : in an INCLUDE will crash your foswiki

Priority: Urgent
Current State: Closed
Released In: 1.1.3
Target Release: patch
Applies To: Engine
Component: INCLUDE
Reported By: SvenDowideit
Waiting For:
Last Change By: KennethLavrsen
for a valid example, the following will give you a stack trace / 500


similarly, a simple typo will do the trick too

additionally, this makes me wonder if we have a formal declaration and test to ensure no-one ever tries to use a ':' in the validWikiWord or validWebName regex's

set to urgent to Kenneth sees it and can judge

-- SvenDowideit - 29 Mar 2011

Must we simple to fix so let us fix this for 1.1.3

-- KennethLavrsen - 29 Mar 2011

The simple fix is to comment out the "die" statement. The code falls through and issues a Topic Not Found warning for the complete string including the bogus handler. I've tested that and it works fine - a one-line fix.

A bit better might be to add a Warning message - unsupported include Handler "httpd" - but that violates the string freeze. Is this fix worth adding a string to the release?

-- GeorgeClark - 29 Mar 2011

Fixed for 1.1.3, we should improve on this for 1.1.4. - Verify that the include-handler exists in the IncludeHandlers directory before blindly issuing the eval. And then return a more meaningful message listing the available handlers.

-- GeorgeClark - 29 Mar 2011

See Item10569

-- GeorgeClark - 29 Mar 2011

ItemTemplate edit

Summary using : in an INCLUDE will crash your foswiki
ReportedBy SvenDowideit
Codebase 1.1.3 beta1, trunk
SVN Range
AppliesTo Engine
Component INCLUDE
Priority Urgent
CurrentState Closed
Checkins distro:e5b209138ab3 distro:3c7392c0a327
TargetRelease patch
ReleasedIn 1.1.3
Topic revision: r6 - 16 Apr 2011, KennethLavrsen - This page was cached on 18 Sep 2018 - 10:01.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy