Item12675: normalizeWebTopicName taints its result if UseLocale=1
Priority: Normal
Current State: Closed
Released In: 2.0.0
Target Release: major
Applies To: Engine
Component: I18N
Branches: Release01x01 trunk
If Foswiki is configured to
UseLocale
and run with the equivalent of
perl -T
,
then the regular expression match
m|^(.*)[./](.*?)$|
in
normalizeWebTopicName
will taint the resulting web and topic names, which can later on lead to access problems,
e.g. if that name is used to compute a file name for opening.
This might well be
a bug in perl,
but even if that is the case, Foswiki should probably try to work around it.
One possibility might be enclosing that expression in a block with a
no locale
pragma.
Another solution would be moving the
s#\.#/#g;
up to before that match,
and change the regular expression to only match
/
instead of
[./]
.
That seems to do the trick, although I don't know why.
--
MartinVonGagern - 03 Dec 2013
The use of Taint checking along with Locales is a big problem. There are a number of places where thing go awry. There are plans for a Foswiki that better supports locales, but it will probably mean we have to do away with -T taint checking. There were some attempts to fix up locales for 1.1.x and even 1.2, and the issues became too significant.
For some of the open tasks, see
Tasks.I18N also
UnicodeSupport,
UseUTF8, and
UseUTF8PerlRequirements
--
GeorgeClark - 03 Dec 2013
I realize that
moving that replacement might be bad since it won't affect dots in macro expansions. But duplicating that replacement should be OK.
--
MartinVonGagern - 03 Dec 2013
Another solution seems to be writing
(\.|/)
instead of
[./]
.
--
MartinVonGagern - 05 Dec 2013
see also:
Item11953
--
ChristianLudwig - 05 Dec 2013
Can you please include the following change, so I won't have to perform it locally after every upgrade?
- if ( $topic =~ m|^(.*)[./](.*?)$| ) {
+ if ( $topic =~ m,^(.*)(?:\.|/)(.*?)$, ) {
--
MartinVonGagern - 09 Jan 2014
I'm getting it checked into trunk and post 1.1.9. Note that the use of the | instead of a character class is approximately 4% slower.
--
GeorgeClark - 09 Jan 2014