cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
You are here: Foswiki>Tasks Web>Item12371 (01 Feb 2013, GeorgeClark)Edit Attach

Item12371: Request cache breaks when there is a POST parameter with empty name

pencil
Priority: Normal
Current State: Closed
Released In: 1.1.7
Target Release: patch
Applies To: Engine
Component: FoswikiRequestCache
Branches: Release01x01 trunk
Reported By: JanKrueger
Waiting For:
Last Change By: GeorgeClark
Foswiki::Request::Cache stores the request in a special format: first a few pieces of HTTP metadata, then a line with a single '=', then the POST parameters, then another '=' line, and finally a list of uploaded files, if any.

If the request contained an "empty" POST parameter (e.g. "foo=bar;=;baz=quux"), the POST parameters will be serialized in a way that makes the output contain a '=' line. This majorly confuses the loader, since it assumes that all following POST parameters are file uploads, and it dies when it tries to treat these key-value pairs as filenames.

A potential backward-compatible fix (that only breaks for already broken cache requests) is to encode an empty field name as '%' (which is otherwise invalid due to the URL encoding used on field names). So, '=bar' would be stored as '%=bar'.

-- JanKrueger - 29 Jan 2013

Fix made by JanKrueger, removes any POSTed field with an empty name and value before writing the cache, and changes the ending delimiter to be an = without a value.

-- GeorgeClark - 29 Jan 2013
 

ItemTemplate edit

Summary Request cache breaks when there is a POST parameter with empty name
ReportedBy JanKrueger
Codebase 1.1.6, trunk
SVN Range
AppliesTo Engine
Component FoswikiRequestCache
Priority Normal
CurrentState Closed
WaitingFor
Checkins distro:d75cd7af0e20 distro:8146fe805156
TargetRelease patch
ReleasedIn 1.1.7
CheckinsOnBranches Release01x01 trunk
trunkCheckins distro:d75cd7af0e20
Release01x01Checkins distro:8146fe805156
Topic revision: r6 - 01 Feb 2013, GeorgeClark - This page was cached on 22 Mar 2018 - 18:10.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License