• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item7709: The default {AccesibleENV} in lib/TWiki.spec is too strict

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine Configuration Normal Confirmed      

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

The default {AccesibleENV} value in lib/TWiki.spec is too strict. There's no danger in exposing SSL_CLIENT params (they're sent from the client's certificate). Also, SSL_PROTOCOL and CIPHER are visible from the client, so there's no point in hiding them.

They are useful when debugging TLS (SSL) problems, especially with X.509 authentication. And for warning of certificate expiration.

I suggest changing the default to:

TTWiki::cfg{AccessibleENV} = '^(HTTP_\\w+|REMOTE_\\w+|SERVER_\\w+|REQUEST_\\w+|MOD_PERL|SSL_CLIENT_.*|SSL_(?:CIPHER(?:_\w+)*|PROTOCOL))$'

Although any site can make the change, it's a Perl regexp and I expect that most sites won't.

Here's an example of how I use many of these variables. It might be worth adapting for the default home page. (Note that I require an SSL Client certificate for access - see X509Plugin):

From the top of my main page:

=<sticky>Certificate: [[ConnectionStatus][]] IF{ "$ 'ENV{SSL_CLIENT_V_REMAIN}' <= 60" then=" <span style='background-color:#ff7b3d;'>expires in days, on </span>" }: Syntax error in '$ 'ENV{SSL_CLIENT_V_REMAIN}' <= 60' at ' <= 60' </sticky>=

And the ConnectionStatus page:

<sticky><table style="width:100%;"><tr><td style="text-align:left">
---+ Connection and certificate status
<td style="text-align=right"> IF{ "%IP%=4" else="<nop><img alt=\"IPv6 Icon\" src=\"/pub/Bugs/WebHome/IPv6-green.png\"/>" then="<img alt=\"IPv4 Icon\" src=\"/pub/Bugs/WebHome/IPv4-gray.png\"/>" }: Syntax error in '%IP%=4' at '%IP%=4' </table></sticky>

Details of your secure connection's protocol and identity certificate:

| Connection | from 54.242.75.224 ||
| Cipher | ||
| Key type | , signed with ||
| Certificate issuer | ||
| Certificate subject | ||
| Certificate valid | to ||

-- TWiki:Main/TimotheLitt - 2016-01-09

Agreed. This is a "no-brainer" change, e.g .does not require a feature proposal. Feel free to fix in trunk and 6.0 branch.

-- TWiki:Main.PeterThoeny - 2016-01-11

ItemTemplate
Summary The default {AccesibleENV} in lib/TWiki.spec is too strict
ReportedBy TWiki:Main.TimotheLitt
Codebase

SVN Range TWiki-6.0.2-trunk, Sun, 29 Nov 2015, build 29679
AppliesTo Engine
Component Configuration
Priority Normal
CurrentState Confirmed
WaitingFor

Checkins

TargetRelease

ReleasedIn

Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r2 - 2016-01-11 - PeterThoeny
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback