Item13549: Filter backslash from Topic and Attachment names
Priority: Security
Current State: Closed
Released In: 2.0.1
Target Release: patch
Applies To: Engine
Component:
Branches: master
Item13525
NameFilter doesn't in include the backslash. It breaks search completely on Foswiki 2.0. Any web containing that topic name cannot be searched. On 1.1.9, search can find the topic without crashing, but it displays only part of the name. Topic Ab/Cd displays as "Cd" on 1.1.9, so the topic cannot be reached.
Recreate: Go do sandbox, create a topic named
Ab\Cd
Save. Topic is saved, and can be edited. But visit
Sandbox.WebHome and search crashes.
Could not perform search. Error was: Assertion failed!
at /var/www/foswiki/distro/core/lib/AssertOn.pm line 30.
Assert::ASSERT("") called at /var/www/foswiki/distro/core/lib/Foswiki/MetaCache.pm line 216
Foswiki::MetaCache::get(Foswiki::MetaCache=HASH(0x421fe30), "Litterbox.Cd") called at /var/www/foswiki/distro/core/lib/Foswiki/Search/InfoCache.pm line 302
Foswiki::Search::InfoCache::sortTopics(ARRAY(0x3e21810), "modified", "") called at /var/www/foswiki/distro/core/lib/Foswiki/Search/InfoCache.pm line 220
Foswiki::Search::InfoCache::sortResults(Foswiki::Search::InfoCache=HASH(0x3e21990), HASH(0x40a11c0)) called at /var/www/foswiki/distro/core/lib/Foswiki/Search/ResultSet.pm line 273
Foswiki::Search::ResultSet::sortResults(Foswiki::Search::ResultSet=HASH(0x421fea8), HASH(0x40a11c0)) called at /var/www/foswiki/distro/core/lib/Foswiki/Iterator/FilterIterator.pm line 64
Foswiki::Iterator::FilterIterator::sortResults(Foswiki::Iterator::FilterIterator=HASH(0x41f8778), HASH(0x40a11c0)) called at /var/www/foswiki/distro/core/lib/Foswiki/Store/Interfaces/QueryAlgorithm.pm line 140
Foswiki::Store::Interfaces::QueryAlgorithm::query(Foswiki::Store::SearchAlgorithms::Forking=HASH(0x41abdd8), Foswiki::Search::Node=HASH(0x41502e8), undef, Foswiki=HASH(0x2787f00), HASH(0x40a11c0)) called at /var/www/foswiki/distro/core/lib/Foswiki/Store/PlainFile.pm line 886
Foswiki::Store::PlainFile::query(Foswiki::Store::PlainFile=HASH(0x31737f0), Foswiki::Search::Node=HASH(0x41502e8), undef, Foswiki=HASH(0x2787f00), HASH(0x40a11c0)) called at /var/www/foswiki/distro/core/lib/Foswiki/Meta.pm line 984
Marking as a security task, as it can
DoS a web.
--
GeorgeClark - 21 Jul 2015