Item1276: Setting new parent for a normal web seems to fail

pencil
Priority: Urgent
Current State: Closed
Released In: 1.0.4
Target Release: patch
Applies To: Engine
Component:
Branches:
Reported By: IngoKappler
Waiting For:
Last Change By: KennethLavrsen
Setting new parent for a normal web (so it becomes a subweb, kind of move) results in the following error:

Foswiki detected an internal error - please check your Foswiki logs and webserver logs for more information.

Insecure dependency in unlink while running with -T switch

Nevertheless the move appears to be successful after the confusion clarifies.

It is reproducible (I could provide apache logs but don't want to put them publicly here).

-- IngoKappler - 13 Mar 2009

You are going to have to be more explicit about what you did. Here's what I tried (in Release01x00):

  1. Created Sandbox/SubWeb and Sandbox/Subweb
  2. Went to Sandbox/SubWeb/WebPreferences
  3. Selected "rename/move web"
  4. Selected a new parent (in this case, I chose Sandbox/Subweb)

Worked fine, no complaints, so I guess you did something different.

-- CrawfordCurrie - 13 Mar 2009

This is what I did:

  1. Went to System/ManagingWebs
  2. Created new normal Web called TestWeb (not a Subweb)
  3. Went to TestWeb/WebPreferences
  4. Selected "rename/move web"
  5. Selected a new parent (in this case, I chose Sandbox as new parent)

Maybe that makes it reproducible?

-- IngoKappler - 13 Mar 2009

Nope; that works fine for me.

Can you isolate the problem any further, e.g. from reading the Apache log?

-- CrawfordCurrie - 13 Mar 2009

As discussed I enabled {UseLocale} in configure but it didn't solve the issue for me. I also cleared the browser cache. Then I fixed a new warning by also changing {Site}{Locale} in configure from en_US.ISO-8859-1 to C again without success.

It doesn't look to me that using $Foswiki::cfg{UseLocale} = 1; as "none default" value should be something a user must set to solve that problem (just changed it for investigation wink .

I am using: This is perl, v5.10.0 built for i486-linux-gnu-thread-multi (Debian Lenny)

-- IngoKappler - 13 Mar 2009

It fails with a taint error no matter how {UseLocale} is set. Crawford you need to get an installation of for example Centos 5.2 so you can see the same error the rest of us see with respect to taint issues.

I tried to enable ASSERTS in LocalLib.cfg and then move a web. Now I get ASSERTS failing even earlier in the process. There is something that has been changed recently in the code that goofs this web moving up. I tested moving webs intensively before releasing 1.0.0 and I would have seen this earlier.

elevating to urgent

-- KennethLavrsen - 13 Mar 2009

Please test the following patch:
diff --git a/core/lib/Foswiki/UI/Manage.pm b/core/lib/Foswiki/UI/Manage.pm
index 357eeb4..2a7d2b1 100644
--- a/core/lib/Foswiki/UI/Manage.pm
+++ b/core/lib/Foswiki/UI/Manage.pm
@@ -873,8 +873,8 @@ sub _renameweb {
     foreach my $ref (@$refs) {
         $ref =~ s/\./\//go;
         my (@path) = split( /\//, $ref );
-        my $webTopic = pop(@path);
-        my $webIter = join( "/", @path );
+        my $webTopic = Foswiki::Sandbox::untaint( pop(@path), \&Foswiki::Sandbox::validateWebName );
+        my $webIter = Foswiki::Sandbox::untaint( join( "/", @path ), \&Foswiki::Sandbox::validateTopicName );
         $store->clearLease( $webIter, $webTopic );
     }

-- OlivierRaginel - 13 Mar 2009

The following tests have been done to verify this fix:

  1. Went to System/ManagingWebs
  2. Created new normal Web called TestWeb2 (not a Subweb)
  3. Went to TestWeb2/WebPreferences
  4. Selected "rename/move web"
  5. Selected a new parent (in this case, I chose Sandbox as new parent)
  6. Created a link in Sandbox/TopicTest4 to point to Sandbox/TestWeb2/WebHome
  7. Moved TestWeb2 via "rename/move web" to Trash/TestWeb2 > SUCCESS
  8. Link followed, moved it around some times more without issues.
  9. Did the same with the existing TestWeb successfully.
  10. Moving or renaming was always done by setting new parent, so I additionally also really renamed TestWeb to TestWeb3 while moving it at the same time > no issue.

When setting $ENV{FOSWIKI_ASSERTS} = 1; in LocalLib.cfg then the following output was received:

Assertion failed!
 at /srv/www/foswiki/lib/Assert.pm line 64
   Assert::ASSERT(undef) called at /srv/www/foswiki/lib/Foswiki/Store/RcsFile.pm line 823
   Foswiki::Store::RcsFile::saveFile('Foswiki::Store::RcsWrap=HASH(0x9d2c468)', '/srv/www/foswiki/data/Sandbox/TopicTest4.lock', 'IngoKappler\x{a}1236962003') called at /srv/www/foswiki/lib/Foswiki/Store/RcsFile.pm line 667
   Foswiki::Store::RcsFile::setLock('Foswiki::Store::RcsWrap=HASH(0x9d2c468)', 1, 'IngoKappler') called at /srv/www/foswiki/lib/Foswiki/Store.pm line 1359
   Foswiki::Store::lockTopic('Foswiki::Store=HASH(0x93d1a18)', 'IngoKappler', 'Sandbox', 'TopicTest4') called at /srv/www/foswiki/lib/Foswiki/UI/Manage.pm line 1468
   Foswiki::UI::Manage::_updateWebReferringTopics('Foswiki=HASH(0x8f8b9b0)', 'Trash/TestWeb2', 'Sandbox/TestWeb2', 'ARRAY(0x93bc5a0)') called at /srv/www/foswiki/lib/Foswiki/UI/Manage.pm line 1157
   Foswiki::UI::Manage::_moveWeb('Foswiki=HASH(0x8f8b9b0)', 'Trash/TestWeb2', 'Sandbox/TestWeb2', 'ARRAY(0x93bc5a0)') called at /srv/www/foswiki/lib/Foswiki/UI/Manage.pm line 860
   Foswiki::UI::Manage::_renameweb('Foswiki=HASH(0x8f8b9b0)') called at /srv/www/foswiki/lib/Foswiki/UI/Manage.pm line 244
   Foswiki::UI::Manage::rename('Foswiki=HASH(0x8f8b9b0)') called at /srv/www/foswiki/lib/Foswiki/UI.pm line 181
   Foswiki::UI::__ANON__() called at /usr/share/perl5/Error.pm line 416
   eval {...} called at /usr/share/perl5/Error.pm line 408
   Error::subs::try('CODE(0x90f04d8)', 'HASH(0x9c2fb60)') called at /srv/www/foswiki/lib/Foswiki/UI.pm line 249
   Foswiki::UI::execute('Foswiki::Request=HASH(0x93382d0)', 'CODE(0x9382f90)', 'rename', 1) called at /srv/www/foswiki/lib/Foswiki/UI.pm line 120
   Foswiki::UI::handleRequest('Foswiki::Request=HASH(0x93382d0)') called at /srv/www/foswiki/lib/Foswiki/Engine/CGI.pm line 26
   Foswiki::Engine::CGI::run('Foswiki::Engine::CGI=HASH(0x9217fc0)') called at /srv/www/foswiki/bin/rename line 45
 at /srv/www/foswiki/lib/Assert.pm line 64
   Assert::ASSERT(undef) called at /srv/www/foswiki/lib/Foswiki/Store/RcsFile.pm line 823
   Foswiki::Store::RcsFile::saveFile('Foswiki::Store::RcsWrap=HASH(0x9d2c468)', '/srv/www/foswiki/data/Sandbox/TopicTest4.lock', 'IngoKappler\x{a}1236962003') called at /srv/www/foswiki/lib/Foswiki/Store/RcsFile.pm line 667
   Foswiki::Store::RcsFile::setLock('Foswiki::Store::RcsWrap=HASH(0x9d2c468)', 1, 'IngoKappler') called at /srv/www/foswiki/lib/Foswiki/Store.pm line 1359
   Foswiki::Store::lockTopic('Foswiki::Store=HASH(0x93d1a18)', 'IngoKappler', 'Sandbox', 'TopicTest4') called at /srv/www/foswiki/lib/Foswiki/UI/Manage.pm line 1468
   Foswiki::UI::Manage::_updateWebReferringTopics('Foswiki=HASH(0x8f8b9b0)', 'Trash/TestWeb2', 'Sandbox/TestWeb2', 'ARRAY(0x93bc5a0)') called at /srv/www/foswiki/lib/Foswiki/UI/Manage.pm line 1157
   Foswiki::UI::Manage::_moveWeb('Foswiki=HASH(0x8f8b9b0)', 'Trash/TestWeb2', 'Sandbox/TestWeb2', 'ARRAY(0x93bc5a0)') called at /srv/www/foswiki/lib/Foswiki/UI/Manage.pm line 860
   Foswiki::UI::Manage::_renameweb('Foswiki=HASH(0x8f8b9b0)') called at /srv/www/foswiki/lib/Foswiki/UI/Manage.pm line 244
   Foswiki::UI::Manage::rename('Foswiki=HASH(0x8f8b9b0)') called at /srv/www/foswiki/lib/Foswiki/UI.pm line 181
   Foswiki::UI::__ANON__() called at /usr/share/perl5/Error.pm line 416
   eval {...} called at /usr/share/perl5/Error.pm line 408
   Error::subs::try('CODE(0x90f04d8)', 'HASH(0x9c2fb60)') called at /srv/www/foswiki/lib/Foswiki/UI.pm line 249
   Foswiki::UI::execute('Foswiki::Request=HASH(0x93382d0)', 'CODE(0x9382f90)', 'rename', 1) called at /srv/www/foswiki/lib/Foswiki/UI.pm line 120
   Foswiki::UI::handleRequest('Foswiki::Request=HASH(0x93382d0)') called at /srv/www/foswiki/lib/Foswiki/Engine/CGI.pm line 26
   Foswiki::Engine::CGI::run('Foswiki::Engine::CGI=HASH(0x9217fc0)') called at /srv/www/foswiki/bin/rename line 45.

-- IngoKappler - 13 Mar 2009

This isn't a bug there. This is a bug in Foswiki.pm, which taints back data in debug mode, even when the input data wasn't tainted in the first place.

Therefore, without debug mode, everything is fine, but in debug mode, you're left with tainted data.

Fixing it too...

-- OlivierRaginel - 13 Mar 2009

Reproduced as follows:

This is a real security issue (will also affect Foswiki 1.0.0 and (tm)wiki 4.2.x)

Fixed on Release01x00 and trunk.

-- CrawfordCurrie - 13 Mar 2009

Re-opening so the fix for Item1299 is also associated with this bug, otherwise the commit list here would be a bit incomplete. (distro:0bbee7d85f9b)

-- OlivierRaginel - 15 Mar 2009

ItemTemplate edit

Summary Setting new parent for a normal web seems to fail
ReportedBy IngoKappler
Codebase 1.0.3
SVN Range Foswiki-1.0.3, Sat, 28 Feb 2009, build 2773
AppliesTo Engine
Component
Priority Urgent
CurrentState Closed
WaitingFor
Checkins distro:7185ecd240a3 distro:e3d8cbae7122 distro:c897006abf87 distro:0bbee7d85f9b
TargetRelease patch
ReleasedIn 1.0.4
Topic revision: r20 - 19 Mar 2009, KennethLavrsen
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy