You are here: Foswiki>Tasks Web>Item12675 (05 Jul 2015, GeorgeClark)Edit Attach

Item12675: normalizeWebTopicName taints its result if UseLocale=1

pencil
Priority: Normal
Current State: Closed
Released In: 2.0.0
Target Release: major
Applies To: Engine
Component: I18N
Branches: Release01x01 trunk
Reported By: MartinVonGagern
Waiting For:
Last Change By: GeorgeClark
If Foswiki is configured to UseLocale and run with the equivalent of perl -T, then the regular expression match m|^(.*)[./](.*?)$| in normalizeWebTopicName will taint the resulting web and topic names, which can later on lead to access problems, e.g. if that name is used to compute a file name for opening.

This might well be a bug in perl, but even if that is the case, Foswiki should probably try to work around it. One possibility might be enclosing that expression in a block with a no locale pragma. Another solution would be moving the s#\.#/#g; up to before that match, and change the regular expression to only match / instead of [./]. That seems to do the trick, although I don't know why.

-- MartinVonGagern - 03 Dec 2013

The use of Taint checking along with Locales is a big problem. There are a number of places where thing go awry. There are plans for a Foswiki that better supports locales, but it will probably mean we have to do away with -T taint checking. There were some attempts to fix up locales for 1.1.x and even 1.2, and the issues became too significant.

For some of the open tasks, see Tasks.I18N also UnicodeSupport, UseUTF8, and UseUTF8PerlRequirements

-- GeorgeClark - 03 Dec 2013

I realize that moving that replacement might be bad since it won't affect dots in macro expansions. But duplicating that replacement should be OK.

-- MartinVonGagern - 03 Dec 2013

Another solution seems to be writing (\.|/) instead of [./].

-- MartinVonGagern - 05 Dec 2013

see also: Item11953

-- ChristianLudwig - 05 Dec 2013

Can you please include the following change, so I won't have to perform it locally after every upgrade?

-    if ( $topic =~ m|^(.*)[./](.*?)$| ) {
+    if ( $topic =~ m,^(.*)(?:\.|/)(.*?)$, ) {

-- MartinVonGagern - 09 Jan 2014

I'm getting it checked into trunk and post 1.1.9. Note that the use of the | instead of a character class is approximately 4% slower.

-- GeorgeClark - 09 Jan 2014
 

ItemTemplate edit

Summary normalizeWebTopicName taints its result if UseLocale=1
ReportedBy MartinVonGagern
Codebase 1.1.9, trunk
SVN Range
AppliesTo Engine
Component I18N
Priority Normal
CurrentState Closed
WaitingFor
Checkins distro:de522f35e743 distro:8f6f150dd9a6
TargetRelease major
ReleasedIn 2.0.0
CheckinsOnBranches Release01x01 trunk
trunkCheckins distro:de522f35e743
Release01x01Checkins distro:8f6f150dd9a6
Topic revision: r12 - 05 Jul 2015, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy