Item4753: /bin/twiki is experimental stuff that should not be in distribution

Noone really test it.

It is not considered in any of the security setup

It could potentially be an open security bomb.

I strongly propose it is removed from the MANIFEST

If needed by some it should perhaps be in a Contrib

-- TWiki:Main/KennethLavrsen - 01 Oct 2007

This is the default Apache setup for Twiki (non template)

# When using Apache type login the following defines the TWiki scripts
# that makes Apache ask the browser to authenticate. It is correct that
# scripts such as view, resetpasswd & passwd are not authenticated.
# (un-comment to activate)
#<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|rest|.*auth).*">
#   require valid-user
#</FilesMatch> 

I have gotten the impression that the twiki script allows editing???

Who put that there unprotected?

-- TWiki:Main.KennethLavrsen - 01 Oct 2007

I have not managed to use the script to gain access without auth.

But it is a bit mysterious this script. The docu says "Single-script interface to the functionality of all the other scripts. Experimental, not for production use. Read the code if you want to know more"

Read the code!!! By God. You cannot write that in the distribution docs.

Either it gets documented and with proper protection in default apache configs or it goes out. We do not ship undocumented, untested experimental code.

-- TWiki:Main.KennethLavrsen - 01 Oct 2007

Kill it. It's a hole waiting to be opened.

-- TWiki:Main.CrawfordCurrie - 02 Oct 2007

Done.

Removed from MANIFEST

Removed from TWikiScripts where the horror "read the code" message was found.

This one should be moved to a contrib for the ones that like to experiment with this.

-- TWiki:Main.KennethLavrsen - 03 Oct 2007

Complete agree. See my first failed attempt in January, Item3429.

-- TWiki:Main.PeterThoeny - 07 Oct 2007