#9069 closed enhancement (wontfix)
Do not allow wiki page names that start with slash or backslash or have backslashes in their name
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | general | Version: | 0.12dev |
| Severity: | normal | Keywords: | |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
I just stumbled over this while testing possible page names:
wiki//////////////test
is a valid page name
wiki/\\\\\\\\\\test
is a valid page name
wiki/ \\\ \\/ / /////test
is a valid page name.
It would be nice to have trac impose some sanity on the user by removing such multiple occurrences of forward slashes, and altogether prohibit the use of the backslash in page names.
Additionally, whitespace must only occur between non-whitespace and must not prefix any names in the path, e.g.
/abc def/foo bar
would be a valid page name
whereas
/ abc def/foo bar
would not, any leading whitespace in the path component should lead to an error or should at least be removed and the requested page should be redirected to the normalized page name, e.g.
in addition, multiple occurrences of a single whitespace character should be collapsed into a single whitespace character
/abc%20def/foo%20bar
TIA for fixing this
Attachments (0)
Change History (4)
comment:1 by , 15 years ago
follow-up: 3 comment:2 by , 15 years ago
side note: the mediawiki, at least, collapses all recurring whitespace into one, but keeps the backslashes and multiple occurrences of the forward slash.
and,
wiki/ /
leads over to page defining/explaining the forward slash.
similarly,
wiki///
leads to a page defining/explaining the use of the double forward slash.
thus I think, multiple occurrences of the forward slash should be permitted by the system, although i question the actual benefit of such a solution.
comment:3 by , 15 years ago
Replying to Carsten Klein <carsten.klein@…>:
side note: the mediawiki, at least, collapses all recurring whitespace into one, but keeps the backslashes and multiple occurrences of the forward slash.
it must read: whitespace only parts of the resource path are completely removed, e.g.
wiki/ /
becomes
wiki//
comment:4 by , 15 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Trac tries to impose as few constraints on the user as possible, but to provide the tools for those who wish to do so. In this case, you can validate the page name (and content) with the IWikiPageManipulator extension point.
As all the tools are available, I'm closing this as "wontfix".
one more, which is most malicious if you have a hacker that hacked into your site, provably using it for distribution of for example malicious urls
is also a valid page name, leading to an empty line in the wiki page index, one that can be easily missed when checking the available pages
PS: remember the times when ftp servers got hacked for distribution of both warez and malware, hackers back then resolved to creating subdirectories in the ftp directory using whitespaces and other, similar characters…