You are here: Foswiki>Tasks Web>Item13917 (04 Mar 2016, GeorgeClark)Edit Attach

Item13917: NameFilter not working on 2.0 / 2.1 if configure reset to default is used.

pencil
Priority: Security
Current State: Closed
Released In: 2.1.0
Target Release: minor
Applies To: Engine
Component: Configure
Branches: master Item13897
Reported By: GeorgeClark
Waiting For:
Last Change By: GeorgeClark
The NameFilter on Foswiki 2.0 / 2.1 is broken, and configure makes it worse.

Cut/paste the 1.1.9 name filter into the 2.1 LocalSite.cfg and the filter out begins working.

1.1.9 Filter
$Foswiki::cfg{NameFilter} = '[\\s\\*?~^\\$@%`"\'&;|<>\\[\\]#\\x00-\\x1f]';
2.1.0 default install
$Foswiki::cfg{NameFilter} = '[\\\\\\s\\*?~^\\$@%`"\'\\x26;:|\\x3c>\\[\\]#\\x00-\\x1f]';
2.1.0 configure after "reset to default"
$Foswiki::cfg{NameFilter} = '[\\\\\\\\\\\\s\\\\*?~^\\\\$@%`"\\\'\\\\x26;:|\\\\x3c>\\\\[\\\\]#\\\\x00-\\\\x1f]';

It may be that days of the NameFilter are numbered anyway, as the following topic demonstrates: http://trunk.foswiki.org/Sandbox/Jomo.▁▂▃▅▆▇

-- GeorgeClark - 11 Jan 2016

Combining Characters can create topics like: http://trunk.foswiki.org/Sandbox/Jomo/̴%CC%B5̶%CC%B7%CC%B8̡̢̧̨̛̖̗̘̙̜̝̞̟̠̣̤̥̦̩̪̫̬̭̮̯̰̱̲̳̹̺̻̼͇͈͉͍͎̀́̂̃̄̅̆̇̈̉̊̋̌̍̎̏̐̑̒̓̔̽̾̿͂͆͊͋͌̕̚Ι%CD%8F͓͔͕͖͙͚͐͑͒͗͛ͣ͘͜͟͢͝͞͠͡

-- GeorgeClark - 11 Jan 2016

Here is the NameFilter JSON data. It looks like the \ is doubled in the json response.
      {
         "class" : "Foswiki::Configure::Value",
         "defined_at" : [
            "/var/www/foswiki/distro/core/lib/Foswiki.spec",
            984
         ],
         "depth" : 3,
         "default" : "'[\\\\\\\\\\\\s\\\\*?~^\\\\$@%`\"\\'\\\\x26;:|\\\\x3c>\\\\[\\\\]#\\\\x00-\\\\x1f
]'",
         "CHECK" : {
            "undefok" : 0,
            "emptyok" : 1
         },
         "LABEL" : "Name Filter",
         "typename" : "REGEX",
         "desc" : "Filter-out regex for web names, topic names, usernames,\ninclude paths and skin names
. This is a filter *out*, so if any of the\ncharacters matched by this expression are seen in names,
 they will be\nremoved.",
         "current_value" : "[\\\\\\s\\*?~^\\$@%`\"'\\x26;:|\\x3c>\\[\\]#\\x00-\\x1f]",
         "EXPERT" : 1,
         "keys" : "{NameFilter}"
      },

-- GeorgeClark - 11 Jan 2016

tools/configure -getspec {NameFilter}

Demonstrates the doubling of backslashes in regexes as well, however it seems to be inconsistent, not all regexes. UploadFilter is not doubled. NameFilter and AttachmentNameFilter are doubled.

-- GeorgeClark - 11 Jan 2016

Checking for consistency of coding:
  • The cause of differences is that Foswiki.spec is parsed, where as LocalSite.cfg is eval'd.
  • In Foswiki.spec, backslashes are doubled only when ... (I have no idea why) But \\\\ is used to filter a backslash.
  • In LocalSite.cfg, backslashes are doubled when as in Foswiki.spec and also when used as a regex escape. so \\[ matches [. Necessary because perl treats single \ as a string escape.
  • In both files, single quote is escaped as \' because it's a single quoted string

These are all taken from a fresh bootstrap of master at distro:c97b5b47a1aa

Foswiki.spec:   $Foswiki::cfg{AttachmentNameFilter} = '[\\\\*?~^$@%`"\'&|<;>\[\]#\x00-\x1f]';
LocalSite.cfg:  $Foswiki::cfg{AttachmentNameFilter} = '[\\\\*?~^$@%`"\'&|<;>\\[\\]#\\x00-\\x1f]';
TML ATTACHMENTNAMEFILTER                               [\\*?~^$@%"'&|<;>\[\]#\x00-\x1f] 

LocalSite.r119: $Foswiki::cfg{Cache}{DependencyFilter} = '$Foswiki::cfg{SystemWebName}\\..*|$Foswiki::cfg{TrashWebName}\\..*|.*Template$|TWiki\\..*';
Foswiki.spec:   $Foswiki::cfg{Cache}{DependencyFilter} = '$Foswiki::cfg{SystemWebName}\..*|$Foswiki::cfg{TrashWebName}\..*|TWiki\..*';
LocalSite.cfg:  $Foswiki::cfg{Cache}{DependencyFilter} = '$Foswiki::cfg{SystemWebName}\\..*|$Foswiki::cfg{TrashWebName}\\..*|TWiki\\..*';

LocalSite.r119: $Foswiki::cfg{NameFilter} = '[\\s\\*?~^\\$@%`"\'&;|<>\\[\\]#\\x00-\\x1f]';
Foswiki.spec:   $Foswiki::cfg{NameFilter} = '[\\\\\s*?~^$@%`"\'&|<;:>\[\]#\x00-\x1f]';
LocalSite.cfg:  $Foswiki::cfg{NameFilter} = '[\\\\\\s*?~^$@%`"\'&|<;:>\\[\\]#\\x00-\\x1f]';
JSON  "                       NAMEFILTER" : "[\\\\\\s*?~^$@%`\"'&|<;:>\\[\\]#\\x00-\\x1f]",
TML %NAMEFILTER%                             [\\\s*?~^$@%`"'&|<;:>\[\]#\x00-\x1f]

Foswiki.spec:   $Foswiki::cfg{UploadFilter} = '^((?i)\.htaccess|.*\.(?i)(?:php[0-9s]?(\..*)?|[sp]?htm[l]?(\..*)?|pl|py|cgi)?)$';
LocalSite.cfg:  $Foswiki::cfg{UploadFilter} = '^((?i)\\.htaccess|.*\\.(?i)(?:php[0-9s]?(\\..*)?|[sp]?htm[l]?(\\..*)?|pl|py|cgi)?)$';
LocalSite.r119: $Foswiki::cfg{UploadFilter} = '^(\\.htaccess|.*\\.(?i)(?:php[0-9s]?(\\..*)?|[sp]htm[l]?(\\..*)?|pl|py|cgi))$';

-- GeorgeClark - 13 Jan 2016

The following patch fixes the reset issue, but I'm not checking it in, because I don't understand why all the excessive \\\backslashing is needed.

diff --git a/ConfigurePlugin/pub/System/ConfigurePlugin/types.uncompressed.js b/ConfigurePlugin/pub/System/ConfigurePlugin/types.uncompressed.js
index c42154a..bc80372 100644
--- a/ConfigurePlugin/pub/System/ConfigurePlugin/types.uncompressed.js
+++ b/ConfigurePlugin/pub/System/ConfigurePlugin/types.uncompressed.js
@@ -179,6 +179,30 @@ var Types = {};
   });
 
   Types.REGEX = Types.STRING.extend({
+      restoreDefaultValue: function() {
+          var val = this.spec['default'];
+          if (val === 'undef')
+              val = null;
+          else
+              val = val.replace(/^\s*(["'])(.*)\1\s*$/, "$2");
+              val = val.replace(/\\\\\\/, "\\");
+          this.useVal(val);
+      },
+      isDefault: function() {
+          // trim ' from the default
+          var val = this.spec['default'];
+          if (typeof(val) === 'string') {
+              if (/^\s*'.*'\s*$/.test(val)) {
+                  // We can't use eval because JS eval behaves differently
+                  // to perl eval of a single-quoted string. The currentValue
+                  // comes from a perl eval.
+                  val = val.replace(/^\s*'(.*)'\s*$/, "$1");
+                  val = val.replace(/\'/g, "'");
+                  val = val.replace(/\\\\\\/, "\\");
+              }
+          }
+          return this.currentValue() === val;
+      }
   });
 
   Types.PERL = Types.BaseType.extend({

-- GeorgeClark - 13 Jan 2016
 
Topic revision: r14 - 04 Mar 2016, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy