• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

I've been asked to make this a separate report in Item893, so here you are:

Often I am running my laptop "offline", i.e. apache runs on localhost without external net.

Since the inclusion of IncludeTopicsAndWebPages's content in TWikiVariables, reading TWikiVariables when "offline" gives me an "attempted hack":

TWiki detected an error or attempted hack - please check your TWiki logs and webserver logs for more information.

Bad arg length for Socket::pack_sockaddr_in, length is 0, should be 4

The reason: TWiki:TWikiVariablesAtoM contains a link to an external URL

Tokyo: %INCLUDE{"http://TWiki.org/cgi-bin/xtra/tzdate?tz=Asia/Tokyo" pattern="^.*<\!--tzdate:date-->(.*?)<\!--/tzdate:date-->.*"}%
...which croaks due to the suboptimal error handling in TWiki::Net::getUrl. So I'm tempted to re-prioritize to "Normal" because the doc is currently in a very bad place (I often consult TWikiVariables, but never needed IncludeTopicsAndWebPages).

PTh asked to classify this as a requirement, writing "TWiki should not fail with a scary "attempted hack" error in a production environment." This is correct, but though I think I can be productive when offline, I wouldn't call this a production environment. Since, however, the same problem will occur when a firewall or authenticated proxy prevents TWiki from accessing the outside world, let's compromise on "Urgent".


Agreed. At least the error is detected and not just ignored!

The error handling must be improved.

Do you have a stack trace? (from error_log)

CC

Aye. Is attached. 300-column-lines make difficult reading...

-- TWiki:Main.HaraldJoerg

Moved from Item893:

TWiki should not fail with a scary "attempted hack" error in a production environment.

-- PTh

On the contrary; it must fail. The alternatives (it ignores the error, and ploughs on, or it doesn't tell the user but just doesn't complete the operation) are too horrifying to contemplate.

The wording of the message was chosen to reflect the concerns of the Security community, and indicate that TWiki is not only detecting errors, but is checking for attempted hacks as well. In the light of recent experiences I thought this was good PR.

CC

Crawford, clarification: It should fail, but with a graceful text shown to the user (by replacing %INCLUDE with error text, thus render the remaining part of the topics as usual). Don't make me think.

-- PTh

I agree with PTh. Most other webapp development environments show an inline error, sometimes in red. I never want to see an attempted hack error in a production environment, because that means the security team gets called. 3 or more of these in a week, esp. during trial of TWiki for a corporate environment, and I can guarantee the entire effort would be cancelled.

  • I second, tripple, quadruple this concern! -- PTh

-- JST

INCLUDE is normally expected to print an error if it can't find a topic (which, as you know, can be supressed using warn="off") so, i would expect the same to happen for an external include.

-- WN

OK, OK, you win. I even softened the omigod message to remove the risk of jackbooted security guards marching in every time you see it.

I can't test this properl without disconnecting from the newtork. Can someone give it a try on an offline machine please? If it works, you can close this report.

SVN 7636

CC

The someone with an offline machine could be me again wink

The good news: it no longer mentions an "attempted hack":

TWiki detected an internal error - please check your TWiki logs and webserver logs for more information.
Can't call method "with" without a package or object reference
The bad news, obviously: It doesn't work. Here is the patch:
Index: lib/TWiki.pm
===================================================================
--- lib/TWiki.pm        (Revision 7638)
+++ lib/TWiki.pm        (Arbeitskopie)
@@ -43,6 +43,7 @@
 
 use strict;
 use Assert;
+use Error qw( :try );
 
 require 5.005;        # For regex objects and internationalisation
 
Now I get, within IncludeTopicsAndWebPages
 Failed to include URL http://TWiki.org/cgi-bin/xtra/tzdate?tz=Asia/Tokyo

So, status is "New" again.

-- TWiki:Main.HaraldJoerg

thanks! applied SVN:7639

-- WN

ItemTemplate
Summary INCLUDE with external urls gives attempted hack when offline
ReportedBy TWiki:Main.HaraldJoerg
Codebase

AppliesTo Engine
Component

Priority Urgent
CurrentState Closed
WaitingFor

Checkins 7636 7639
Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formaterrorlog item1015.errorlog r1 manage 4.3 K 2005-11-22 - 21:18 HaraldJoerg 21 lines of stacktrace from Apache's error_log
Edit | Attach | Watch | Print version | History: r12 < r11 < r10 < r9 < r8 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r12 - 2005-11-24 - WillNorris
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback