Item10564: using : in an INCLUDE will crash your foswiki

for a valid example, the following will give you a stack trace / 500

%INCLUDE{scp://quad7:~sven/yeah}%

similarly, a simple typo will do the trick too

%INCLUDE{httpd://quad7:~sven/yeah}%

additionally, this makes me wonder if we have a formal declaration and test to ensure no-one ever tries to use a ':' in the validWikiWord or validWebName regex's

set to urgent to Kenneth sees it and can judge

-- SvenDowideit - 29 Mar 2011

Must we simple to fix so let us fix this for 1.1.3

-- KennethLavrsen - 29 Mar 2011

The simple fix is to comment out the "die" statement. The code falls through and issues a Topic Not Found warning for the complete string including the bogus handler. I've tested that and it works fine - a one-line fix.

A bit better might be to add a Warning message - unsupported include Handler "httpd" - but that violates the string freeze. Is this fix worth adding a string to the release?

-- GeorgeClark - 29 Mar 2011

Fixed for 1.1.3, we should improve on this for 1.1.4. - Verify that the include-handler exists in the IncludeHandlers directory before blindly issuing the eval. And then return a more meaningful message listing the available handlers.

-- GeorgeClark - 29 Mar 2011

See Item10569

-- GeorgeClark - 29 Mar 2011

Commenting is disabled while not logged in