You are here: Foswiki>Tasks Web>Item13917 (04 Mar 2016, GeorgeClark)Edit Attach

Item13917: NameFilter not working on 2.0 / 2.1 if configure reset to default is used.

pencil
Priority: Security
Current State: Closed
Released In: 2.1.0
Target Release: minor
Applies To: Engine
Component: Configure
Branches: master Item13897
Reported By: GeorgeClark
Waiting For:
Last Change By: GeorgeClark
The NameFilter on Foswiki 2.0 / 2.1 is broken, and configure makes it worse.

Cut/paste the 1.1.9 name filter into the 2.1 LocalSite.cfg and the filter out begins working.

1.1.9 Filter
$Foswiki::cfg{NameFilter} = '[\\s\\*?~^\\$@%`"\'&;|<>\\[\\]#\\x00-\\x1f]';
2.1.0 default install
$Foswiki::cfg{NameFilter} = '[\\\\\\s\\*?~^\\$@%`"\'\\x26;:|\\x3c>\\[\\]#\\x00-\\x1f]';
2.1.0 configure after "reset to default"
$Foswiki::cfg{NameFilter} = '[\\\\\\\\\\\\s\\\\*?~^\\\\$@%`"\\\'\\\\x26;:|\\\\x3c>\\\\[\\\\]#\\\\x00-\\\\x1f]';

It may be that days of the NameFilter are numbered anyway, as the following topic demonstrates: http://trunk.foswiki.org/Sandbox/Jomo.▁▂▃▅▆▇

-- GeorgeClark - 11 Jan 2016

Combining Characters can create topics like: http://trunk.foswiki.org/Sandbox/Jomo/̴%CC%B5̶%CC%B7%CC%B8̡̢̧̨̛̖̗̘̙̜̝̞̟̠̣̤̥̦̩̪̫̬̭̮̯̰̱̲̳̹̺̻̼͇͈͉͍͎̀́̂̃̄̅̆̇̈̉̊̋̌̍̎̏̐̑̒̓̔̽̾̿͂͆͊͋͌̕̚Ι%CD%8F͓͔͕͖͙͚͐͑͒͗͛ͣ͘͜͟͢͝͞͠͡

-- GeorgeClark - 11 Jan 2016

Here is the NameFilter JSON data. It looks like the \ is doubled in the json response.
      {
         "class" : "Foswiki::Configure::Value",
         "defined_at" : [
            "/var/www/foswiki/distro/core/lib/Foswiki.spec",
            984
         ],
         "depth" : 3,
         "default" : "'[\\\\\\\\\\\\s\\\\*?~^\\\\$@%`\"\\'\\\\x26;:|\\\\x3c>\\\\[\\\\]#\\\\x00-\\\\x1f
]'",
         "CHECK" : {
            "undefok" : 0,
            "emptyok" : 1
         },
         "LABEL" : "Name Filter",
         "typename" : "REGEX",
         "desc" : "Filter-out regex for web names, topic names, usernames,\ninclude paths and skin names
. This is a filter *out*, so if any of the\ncharacters matched by this expression are seen in names,
 they will be\nremoved.",
         "current_value" : "[\\\\\\s\\*?~^\\$@%`\"'\\x26;:|\\x3c>\\[\\]#\\x00-\\x1f]",
         "EXPERT" : 1,
         "keys" : "{NameFilter}"
      },

-- GeorgeClark - 11 Jan 2016

tools/configure -getspec {NameFilter}

Demonstrates the doubling of backslashes in regexes as well, however it seems to be inconsistent, not all regexes. UploadFilter is not doubled. NameFilter and AttachmentNameFilter are doubled.

-- GeorgeClark - 11 Jan 2016

Checking for consistency of coding:
  • The cause of differences is that Foswiki.spec is parsed, where as LocalSite.cfg is eval'd.
  • In Foswiki.spec, backslashes are doubled only when ... (I have no idea why) But \\\\ is used to filter a backslash.
  • In LocalSite.cfg, backslashes are doubled when as in Foswiki.spec and also when used as a regex escape. so \\[ matches [. Necessary because perl treats single \ as a string escape.
  • In both files, single quote is escaped as \' because it's a single quoted string

These are all taken from a fresh bootstrap of master at distro:c97b5b47a1aa

Foswiki.spec:   $Foswiki::cfg{AttachmentNameFilter} = '[\\\\*?~^$@%`"\'&|<;>\[\]#\x00-\x1f]';
LocalSite.cfg:  $Foswiki::cfg{AttachmentNameFilter} = '[\\\\*?~^$@%`"\'&|<;>\\[\\]#\\x00-\\x1f]';
TML ATTACHMENTNAMEFILTER                               [\\*?~^$@%"'&|<;>\[\]#\x00-\x1f] 

LocalSite.r119: $Foswiki::cfg{Cache}{DependencyFilter} = '$Foswiki::cfg{SystemWebName}\\..*|$Foswiki::cfg{TrashWebName}\\..*|.*Template$|TWiki\\..*';
Foswiki.spec:   $Foswiki::cfg{Cache}{DependencyFilter} = '$Foswiki::cfg{SystemWebName}\..*|$Foswiki::cfg{TrashWebName}\..*|TWiki\..*';
LocalSite.cfg:  $Foswiki::cfg{Cache}{DependencyFilter} = '$Foswiki::cfg{SystemWebName}\\..*|$Foswiki::cfg{TrashWebName}\\..*|TWiki\\..*';

LocalSite.r119: $Foswiki::cfg{NameFilter} = '[\\s\\*?~^\\$@%`"\'&;|<>\\[\\]#\\x00-\\x1f]';
Foswiki.spec:   $Foswiki::cfg{NameFilter} = '[\\\\\s*?~^$@%`"\'&|<;:>\[\]#\x00-\x1f]';
LocalSite.cfg:  $Foswiki::cfg{NameFilter} = '[\\\\\\s*?~^$@%`"\'&|<;:>\\[\\]#\\x00-\\x1f]';
JSON  "                       NAMEFILTER" : "[\\\\\\s*?~^$@%`\"'&|<;:>\\[\\]#\\x00-\\x1f]",
TML %NAMEFILTER%                             [\\\s*?~^$@%`"'&|<;:>\[\]#\x00-\x1f]

Foswiki.spec:   $Foswiki::cfg{UploadFilter} = '^((?i)\.htaccess|.*\.(?i)(?:php[0-9s]?(\..*)?|[sp]?htm[l]?(\..*)?|pl|py|cgi)?)$';
LocalSite.cfg:  $Foswiki::cfg{UploadFilter} = '^((?i)\\.htaccess|.*\\.(?i)(?:php[0-9s]?(\\..*)?|[sp]?htm[l]?(\\..*)?|pl|py|cgi)?)$';
LocalSite.r119: $Foswiki::cfg{UploadFilter} = '^(\\.htaccess|.*\\.(?i)(?:php[0-9s]?(\\..*)?|[sp]htm[l]?(\\..*)?|pl|py|cgi))$';

-- GeorgeClark - 13 Jan 2016

The following patch fixes the reset issue, but I'm not checking it in, because I don't understand why all the excessive \\\backslashing is needed.

diff --git a/ConfigurePlugin/pub/System/ConfigurePlugin/types.uncompressed.js b/ConfigurePlugin/pub/System/ConfigurePlugin/types.uncompressed.js
index c42154a..bc80372 100644
--- a/ConfigurePlugin/pub/System/ConfigurePlugin/types.uncompressed.js
+++ b/ConfigurePlugin/pub/System/ConfigurePlugin/types.uncompressed.js
@@ -179,6 +179,30 @@ var Types = {};
   });
 
   Types.REGEX = Types.STRING.extend({
+      restoreDefaultValue: function() {
+          var val = this.spec['default'];
+          if (val === 'undef')
+              val = null;
+          else
+              val = val.replace(/^\s*(["'])(.*)\1\s*$/, "$2");
+              val = val.replace(/\\\\\\/, "\\");
+          this.useVal(val);
+      },
+      isDefault: function() {
+          // trim ' from the default
+          var val = this.spec['default'];
+          if (typeof(val) === 'string') {
+              if (/^\s*'.*'\s*$/.test(val)) {
+                  // We can't use eval because JS eval behaves differently
+                  // to perl eval of a single-quoted string. The currentValue
+                  // comes from a perl eval.
+                  val = val.replace(/^\s*'(.*)'\s*$/, "$1");
+                  val = val.replace(/\'/g, "'");
+                  val = val.replace(/\\\\\\/, "\\");
+              }
+          }
+          return this.currentValue() === val;
+      }
   });
 
   Types.PERL = Types.BaseType.extend({

-- GeorgeClark - 13 Jan 2016
 
Topic revision: r14 - 04 Mar 2016, GeorgeClark - This page was cached on 02 Jun 2017 - 19:50.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License