Priority: Security
Current State: Closed
Released In: 2.1.0
Target Release: minor
Applies To: Engine
Component: Configure
Branches: master
Item13897
The NameFilter on Foswiki 2.0 / 2.1 is broken, and configure makes it worse.
Cut/paste the 1.1.9 name filter into the 2.1
LocalSite.cfg and the filter out begins working.
- 1.1.9 Filter
-
$Foswiki::cfg{NameFilter} = '[\\s\\*?~^\\$@%`"\'&;|<>\\[\\]#\\x00-\\x1f]';
- 2.1.0 default install
-
$Foswiki::cfg{NameFilter} = '[\\\\\\s\\*?~^\\$@%`"\'\\x26;:|\\x3c>\\[\\]#\\x00-\\x1f]';
- 2.1.0 configure after "reset to default"
-
$Foswiki::cfg{NameFilter} = '[\\\\\\\\\\\\s\\\\*?~^\\\\$@%`"\\\'\\\\x26;:|\\\\x3c>\\\\[\\\\]#\\\\x00-\\\\x1f]';
It may be that days of the NameFilter are numbered anyway, as the following topic demonstrates:
http://trunk.foswiki.org/Sandbox/Jomo.▁▂▃▅▆▇
--
GeorgeClark - 11 Jan 2016
Combining Characters can create topics like:
http://trunk.foswiki.org/Sandbox/Jomo/̴%CC%B5̶%CC%B7%CC%B8̡̢̧̨̛̖̗̘̙̜̝̞̟̠̣̤̥̦̩̪̫̬̭̮̯̰̱̲̳̹̺̻̼͇͈͉͍͎̀́̂̃̄̅̆̇̈̉̊̋̌̍̎̏̐̑̒̓̔̽̾̿͂͆͊͋͌̕̚Ι%CD%8F͓͔͕͖͙͚͐͑͒͗͛ͣ͘͜͟͢͝͞͠͡
--
GeorgeClark - 11 Jan 2016
Here is the
NameFilter JSON data. It looks like the \ is doubled in the json response.
{
"class" : "Foswiki::Configure::Value",
"defined_at" : [
"/var/www/foswiki/distro/core/lib/Foswiki.spec",
984
],
"depth" : 3,
"default" : "'[\\\\\\\\\\\\s\\\\*?~^\\\\$@%`\"\\'\\\\x26;:|\\\\x3c>\\\\[\\\\]#\\\\x00-\\\\x1f
]'",
"CHECK" : {
"undefok" : 0,
"emptyok" : 1
},
"LABEL" : "Name Filter",
"typename" : "REGEX",
"desc" : "Filter-out regex for web names, topic names, usernames,\ninclude paths and skin names
. This is a filter *out*, so if any of the\ncharacters matched by this expression are seen in names,
they will be\nremoved.",
"current_value" : "[\\\\\\s\\*?~^\\$@%`\"'\\x26;:|\\x3c>\\[\\]#\\x00-\\x1f]",
"EXPERT" : 1,
"keys" : "{NameFilter}"
},
--
GeorgeClark - 11 Jan 2016
tools/configure -getspec {NameFilter}
Demonstrates the doubling of backslashes in regexes as well, however it seems to be inconsistent, not all regexes.
UploadFilter is not doubled.
NameFilter and
AttachmentNameFilter are doubled.
--
GeorgeClark - 11 Jan 2016
Checking for consistency of coding:
- The cause of differences is that Foswiki.spec is parsed, where as LocalSite.cfg is eval'd.
- In Foswiki.spec, backslashes are doubled only when ... (I have no idea why) But \\\\ is used to filter a backslash.
- In LocalSite.cfg, backslashes are doubled when as in Foswiki.spec and also when used as a regex escape. so \\[ matches [. Necessary because perl treats single \ as a string escape.
- In both files, single quote is escaped as \' because it's a single quoted string
These are all taken from a fresh bootstrap of master at
distro:c97b5b47a1aa
Foswiki.spec: $Foswiki::cfg{AttachmentNameFilter} = '[\\\\*?~^$@%`"\'&|<;>\[\]#\x00-\x1f]';
LocalSite.cfg: $Foswiki::cfg{AttachmentNameFilter} = '[\\\\*?~^$@%`"\'&|<;>\\[\\]#\\x00-\\x1f]';
TML ATTACHMENTNAMEFILTER [\\*?~^$@%"'&|<;>\[\]#\x00-\x1f]
LocalSite.r119: $Foswiki::cfg{Cache}{DependencyFilter} = '$Foswiki::cfg{SystemWebName}\\..*|$Foswiki::cfg{TrashWebName}\\..*|.*Template$|TWiki\\..*';
Foswiki.spec: $Foswiki::cfg{Cache}{DependencyFilter} = '$Foswiki::cfg{SystemWebName}\..*|$Foswiki::cfg{TrashWebName}\..*|TWiki\..*';
LocalSite.cfg: $Foswiki::cfg{Cache}{DependencyFilter} = '$Foswiki::cfg{SystemWebName}\\..*|$Foswiki::cfg{TrashWebName}\\..*|TWiki\\..*';
LocalSite.r119: $Foswiki::cfg{NameFilter} = '[\\s\\*?~^\\$@%`"\'&;|<>\\[\\]#\\x00-\\x1f]';
Foswiki.spec: $Foswiki::cfg{NameFilter} = '[\\\\\s*?~^$@%`"\'&|<;:>\[\]#\x00-\x1f]';
LocalSite.cfg: $Foswiki::cfg{NameFilter} = '[\\\\\\s*?~^$@%`"\'&|<;:>\\[\\]#\\x00-\\x1f]';
JSON " NAMEFILTER" : "[\\\\\\s*?~^$@%`\"'&|<;:>\\[\\]#\\x00-\\x1f]",
TML %NAMEFILTER% [\\\s*?~^$@%`"'&|<;:>\[\]#\x00-\x1f]
Foswiki.spec: $Foswiki::cfg{UploadFilter} = '^((?i)\.htaccess|.*\.(?i)(?:php[0-9s]?(\..*)?|[sp]?htm[l]?(\..*)?|pl|py|cgi)?)$';
LocalSite.cfg: $Foswiki::cfg{UploadFilter} = '^((?i)\\.htaccess|.*\\.(?i)(?:php[0-9s]?(\\..*)?|[sp]?htm[l]?(\\..*)?|pl|py|cgi)?)$';
LocalSite.r119: $Foswiki::cfg{UploadFilter} = '^(\\.htaccess|.*\\.(?i)(?:php[0-9s]?(\\..*)?|[sp]htm[l]?(\\..*)?|pl|py|cgi))$';
--
GeorgeClark - 13 Jan 2016
The following patch fixes the reset issue, but I'm not checking it in, because I don't understand why all the excessive \\\backslashing is needed.
diff --git a/ConfigurePlugin/pub/System/ConfigurePlugin/types.uncompressed.js b/ConfigurePlugin/pub/System/ConfigurePlugin/types.uncompressed.js
index c42154a..bc80372 100644
--- a/ConfigurePlugin/pub/System/ConfigurePlugin/types.uncompressed.js
+++ b/ConfigurePlugin/pub/System/ConfigurePlugin/types.uncompressed.js
@@ -179,6 +179,30 @@ var Types = {};
});
Types.REGEX = Types.STRING.extend({
+ restoreDefaultValue: function() {
+ var val = this.spec['default'];
+ if (val === 'undef')
+ val = null;
+ else
+ val = val.replace(/^\s*(["'])(.*)\1\s*$/, "$2");
+ val = val.replace(/\\\\\\/, "\\");
+ this.useVal(val);
+ },
+ isDefault: function() {
+ // trim ' from the default
+ var val = this.spec['default'];
+ if (typeof(val) === 'string') {
+ if (/^\s*'.*'\s*$/.test(val)) {
+ // We can't use eval because JS eval behaves differently
+ // to perl eval of a single-quoted string. The currentValue
+ // comes from a perl eval.
+ val = val.replace(/^\s*'(.*)'\s*$/, "$1");
+ val = val.replace(/\'/g, "'");
+ val = val.replace(/\\\\\\/, "\\");
+ }
+ }
+ return this.currentValue() === val;
+ }
});
Types.PERL = Types.BaseType.extend({
--
GeorgeClark - 13 Jan 2016