------------------------------------------------------------------------ r21 | fw | 2004-12-16 17:11:33 +0100 (Thu, 16 Dec 2004) | 2 lines Merge changes on TWiki trunk. ------------------------------------------------------------------------ r20 | f2u | 2004-12-15 18:34:38 +0100 (Wed, 15 Dec 2004) | 6 lines * lib/TWiki.pm (readFromProcessArray): Remove Perl 5.8 dependency by using the same pipe construct as readFromprocess. Note that in contrast to the readFromProcess, the command name is not part of the constructed argument list, but passed separately. ------------------------------------------------------------------------ r19 | f2u | 2004-11-28 18:25:29 +0100 (Sun, 28 Nov 2004) | 3 lines * README.robustness: Desribe the necessary configuration changes. ------------------------------------------------------------------------ r18 | f2u | 2004-11-28 14:11:10 +0100 (Sun, 28 Nov 2004) | 3 lines * README.robustness: Update. ------------------------------------------------------------------------ r17 | f2u | 2004-11-28 13:10:31 +0100 (Sun, 28 Nov 2004) | 12 lines Add some safeguards against directory traversal attacks and normalize file names using TWiki::normalizeFileName. * lib/TWiki/Store/RcsLite.pm (_process, _writeme): Normalize file names. * lib/TWiki/Store.pm (saveFile, readTopmeta, readFile, readFileHead): Likewise. * lib/TWiki/UI/Upload.pm (_imgsize): Likewise. ------------------------------------------------------------------------ r15 | f2u | 2004-11-27 22:32:26 +0100 (Sat, 27 Nov 2004) | 9 lines * lib/TWiki.pm (normalizeFileName): Be more conservative about directory traversal attempts using '..'. By default, normalizeFileName now dies if such a component is detected. The old behavior can be activated again by passing a true value as second argument. * t/20robustness.t: More test cases for normalizeFileName. ------------------------------------------------------------------------ r12 | f2u | 2004-11-27 20:18:12 +0100 (Sat, 27 Nov 2004) | 3 lines * bin/manage: Disable relockrcs because it might be unsafe. ------------------------------------------------------------------------ r9 | f2u | 2004-11-27 17:44:45 +0100 (Sat, 27 Nov 2004) | 3 lines * lib/TWiki/Store/RcsWrap.pm (getRevision): Invoke TWiki::untaintUnchecked (instead of direct untainting). ------------------------------------------------------------------------ r8 | f2u | 2004-11-27 17:35:59 +0100 (Sat, 27 Nov 2004) | 18 lines Remove unused code around TWiki::Store::RcsWrap::setTopicRevisionTag. This resolves another FIXME. See the discussion at: * lib/TWiki/Store/RcsWrap.pm (setTopicRevisionTag): Remove. * lib/TWiki/Store/RcsWrap.pm (setTopicRevisionTag): Remove. * lib/TWiki/Func.pm (setTopicRevisionTag): Remove. * lib/TWiki/Store.pm (setTopicRevisionTag): Remove. ------------------------------------------------------------------------ r7 | f2u | 2004-11-27 17:26:09 +0100 (Sat, 27 Nov 2004) | 21 lines Implement standard error to output redirection in TWiki::readFromProcess. This should mean that the new TWiki::Store::RcsWrap implementation is equivalent to the old one. * lib/TWiki.pm (readFromProcess): Stop using the Perl 5.8 safe pipe to subprocess construct. Use fork-through-open, so that we can redirect stderr to stdout. This introduces a dependency on the POSIX module. (normalizeFileName): Untaint components explicitly. This is very likely a Perl bug, but we currently cannot write test cases for taint checks, so we are forced to defer a full analysis. (Apparently, the Perl 5.8 pipe performs very little taint checking, hiding the bug. This needs confirmation, too.) * lib/TWiki/Store/RcsWrap.pm (_ci): Mostly fix the FIXME, based on input from Crawford Currie: * t/20robustness.t Add test case for output redirection. ------------------------------------------------------------------------ r6 | f2u | 2004-11-20 11:38:27 +0100 (Sat, 20 Nov 2004) | 22 lines * README.robustness: Note that the backtick removal is mostly done. * t/20robustness.t: New test cases. * lib/TWiki.pm (buildCommandLine): Add new flags N, S, D. Allow more than one replacement in each argument. (readFromProcess): New subroutine. * lib/TWiki/Store/RcsWrap.pm (whole file): Replace backtick operators with calls to TWiki::readFromProcess. (_ci): FIXME, the same $cmd is invoked twice. (getRevision): FIXME to flag potentially unnecessary untaint operations. * lib/TWiki.cfg: Update RCS configuration to include flags. Temporarily disable RCS output redirection. ------------------------------------------------------------------------ r5 | f2u | 2004-11-19 20:31:44 +0100 (Fri, 19 Nov 2004) | 14 lines * README.robustness Mention test cases. * lib/TWiki.pm (untaintUnchecked, normalizeFileName, buildCommandLine, readFromProcessArray): Add new subprograms. * lib/TWiki/Search.pm Removed backtick operator from, replacing it with readFromProcessArray. (The new code even is somewhat shorter.) * t/20robustness.t Test cases. ------------------------------------------------------------------------ r4 | fw | 2004-11-17 10:24:55 +0100 (Wed, 17 Nov 2004) | 17 lines Patch from Andrew Moise : "If you set one of the ALLOW preferences (e.g. ALLOWWEBVIEW) to a group that doesn't exist, or has no members, then twiki treats that as if there were no ALLOWWEBVIEW property -- i.e. all users are allowed access. To me this seems surprising and wrong; I would expect all access to the topic to be denied for all users in this case. "I believe that the attached patch makes twiki handle this case correctly, by treating an empty @allowList as cause for failure if it was the result of a non-empty ALLOW preference." * lib/TWiki/Access.pm (checkAccessPermission): Change as described. ------------------------------------------------------------------------ r3 | fw | 2004-11-16 14:41:09 +0100 (Tue, 16 Nov 2004) | 2 lines Add README file describing the robustness branch. ------------------------------------------------------------------------ r2 | fw | 2004-11-16 14:15:06 +0100 (Tue, 16 Nov 2004) | 2 lines Initial merge from trunk. ------------------------------------------------------------------------ r1 | fw | 2004-11-16 14:13:40 +0100 (Tue, 16 Nov 2004) | 2 lines Create robustness branch. ------------------------------------------------------------------------