Opened 13 years ago
Closed 13 years ago
#10274 closed defect (fixed)
Wiki system should validate page name to create, rename and import
| Reported by: | Jun Omae | Owned by: | Jun Omae |
|---|---|---|---|
| Priority: | normal | Milestone: | 0.12.3 |
| Component: | wiki system | Version: | 0.12-stable |
| Severity: | normal | Keywords: | |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
Reproduce invalid renaming using browser
- Show wiki:WikiStart.
- Click "Rename page" button
- Enter "..////WikiStart" as new page name and submit.
- Error "No handler matched request to /WikiStart" happens.
- wiki:TitleIndex lists "..////WikiStart" page.
Reproduce invalid creating page name using w3m
- Launch w3m browser.
- Enter url
http://localhost/trac/wiki/../Test. - Click "Create this page" button.
- Enter wiki contents and save the page
- w3m can access
http://localhost/trac/wiki/../Test, however other browsers cannot access this url.
Reproduce invalid renaming and importing using trac-admin
Try the following commands.
Trac [/var/trac/0.12-stable]> wiki rename WikiStart ../WikiStart Trac [/var/trac/0.12-stable]> wiki import PageTemplates/////slashes /etc/hosts Trac [/var/trac/0.12-stable]> wiki import ../invalid-wikipage/.. /etc/hosts Trac [/var/trac/0.12-stable]> wiki import ././././. /etc/hosts
Sorry, no patch.
Attachments (0)
Change History (7)
follow-up: 2 comment:1 by , 13 years ago
follow-up: 3 comment:2 by , 13 years ago
Do you mean, no patch… yet?
I mean that I only report the issue and do not begin to work it.
comment:3 by , 13 years ago
| Milestone: | 0.12.3 → next-minor-0.12.x |
|---|
Replying to jomae:
I mean that I only report the issue and do not begin to work it.
Ok, then we'll schedule this for a later milestone.
follow-up: 5 comment:4 by , 13 years ago
I worked for the issue on changeset/t10274-wrong-wiki-name/jomae.
- Added
validate_page_nameintrac.wiki.api, validator for Wiki page name. - Added validations for wiki name in
WikiPage.save()andWikiPage.rename(). - When a user rename to invalid wiki name (e.g.
../WikiStart), Trac blocks the renaming and shows a warning. - When a user access the invalid wiki name (e.g. http://localhost/wiki/WikiStart%2f..%2f..%2fvar), Trac raises
TracError.
Thoughts? Should we use _resolve_relative_name for a new page name on the renaming?
follow-up: 6 comment:5 by , 13 years ago
Replying to jomae:
Thoughts?
The changes look fine (I only did a quick read). Good work!
Should we use
_resolve_relative_namefor a new page name on the renaming?
I have a small preference for not resolving the new page name as a relative name, because it seems that people already have trouble understanding the relative names, so I would rather keep things explicit.
comment:6 by , 13 years ago
| Milestone: | next-minor-0.12.x → 0.12.3 |
|---|---|
| Owner: | set to |
Replying to rblank:
I have a small preference for not resolving the new page name as a relative name, because it seems that people already have trouble understanding the relative names, so I would rather keep things explicit.
Thanks for your comments! I also think it need not the resolving. Committed in r10786 without additional changes.
comment:7 by , 13 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
You're doing some nasty things with your wiki ;) Do you mean, no patch… yet?