Item1458: Don't allow saving data when http method is GET
Priority: Urgent
Current State: Closed
Released In: 1.0.5
Target Release: patch
Applies To: Engine
Component:
Branches:
Action list for this fix
Bin scripts
- save - Action Crawford
- manage - Action Crawford
- register - Action Crawford
- rename - Action Crawford
- resetpasswd - Action Crawford
- upload - Action Crawford
- rest - Action Crawford
- There is no way for a REST handler to know if it is used in a "read only" or a "write" way. Have to rely on individual implementors. There is only one vulnerable REST handler in the default set, viz. the upload handler in the WysiwygPlugin.
Default Extensions
Documentation
Unit test framework
- All tests involving code that tests for POST vs GET fail because the Request::Method does not work from command line. - Action Crawford
Update language files
- One change requires a language file change - Action Kenneth
--
KennethLavrsen - 18 Apr 2009
Testing done after this feature and with quite many bugs found and so far all fixed
- Edit and save existing topic - Raw Edit
- Edit and save existing topic - Wysiwyg Edit
- Edit existing topic in Wysiwyg and go to Pickaxe mode and save
- Edit existing topic in Wysiwyg and go to Pickaxe mode and back to Wysiwyg mode and save
- Edit existing topic that has just been edited and saved. Ckick Force new revision and verify that topic uprevs
- Edit a topic in Raw Edit and verify that Edit Help, the editor font buttons and the enlarge buttons work. Also verify that the signature field is correct.
- Edit a topic in Wysiwyg and verify the Edit Help and that you can resize the edit window by dragging the lower corner. Also verify that the signature field is correct.
- Edit a topic in Raw Edit and do a Quiet Save
- Edit a topic in Raw Edit and do a Save and Continue and then save
- Edit a topic in Raw Edit and Preview, then save
- Edit a topic in Raw Edit and Preview, then Save and Continue
- Edit a topic in Raw Edit, change some text and Preview and use the back button in the browser to go back to edit. Verify that the last edits are remembered.
- Edit a topic in Raw Edit, change text and then cancel out. Verify that no changed text is saved
- Edit a topic in Raw Edit, change text and Preview. From preview Discard. Verify that no changed text is saved
- Edit a topic in Raw Edit, change text and Preview. From preview save with Force new revision checked. Check the new topic is upreved.
- Edit a topic in Wysiwyg and Cancel out
- Edit a topic in Wysiwyg and Save and Continue
- Edit a topic in Wysiwyg and Quiet Save
- Edit a topic in Wysiwyg and play with the many Wysiwyg features. (this is in itself a massive test)
- Create new topic using WikiWord link
- Create new topic using WebCreateNewTopic
- Create new topic using an HTML form with GET method submitting to the edit script
- Create new topic using an HTML form with POST method submitting to the edit script
- Create new topic using an HTML form with GET method submitting to the save script - this must be denied
- Create new topic using an HTML form with POST method submitting to the save script
- Create new web from ManagingWebs
- Move a test web with ...rename/System/WebPreferences?action=renameweb
- Attach a file to a topic - using link at top of page
- Attach a file to a topic - using link at bottom action bar (OK to just confirm the menu opens)
- Upload a new version of an existing file to a topic - using the manage link in attachment table
- Change attributes like comment and hidden back and forth for an attachment - using the manage link in attachment table
- Move an attachment to another topic in another web - using the manage link in attachment table
- Delete an attachment - using the manage link in attachment table
- Print version - bottom action bar
- History - bottom action bar - topic must have several versions
- Versions at bottom action bar (example) 12 < 11 < 10 < 9 < 8 - check that you can see older versions and that you can see the diff between them when clicking on <
- Backlinks at bottom action bar - check a topic that has links to it.
- Raw View - check it works
- Register new user without verification enabled in configure using UserRegistration
- Register new user with verification enabled in configure UserRegistration
- Confirm registration by clicking on link in email
- Register new user with verification enabled in configure
- Confirm registration by submitting form in browser
- More topic actions: View previous topic revision
- More topic actions: View previous topic revision with raw text selected
- More topic actions: Compare revisions, Sequential
- More topic actions: Compare revisions, Compare revisions,
- More topic actions: Compare revisions, Debug
- More topic actions: Restore topic to an older version
- More topic actions: Restore topic to an the version that was last before the restore
- More topic actions: Set new topic parent which is not WebHome, use pick from a list
- More topic actions: Set new topic parent use pick from a list to choose (no parent, orphant topic)
- More topic actions: Set new topic parent back to original parent
- More topic actions: Edit topic preference settings - Add two macros in a topic, then define them as preference settings and verify their value when viewing topic
- More topic actions: Edit topic preference settings - remove both from preference settings and verify the value it not defined when viewing topic
- More topic actions: Delete topic .. scans links in all public webs - Create a garbage topic and delete it
- More topic actions: Delete topic .. scans links in Myweb/Movingweb web only - create another garbage topic and delete it
- More topic actions: Rename or move topic - rename a topic - scans links in all public webs
- More topic actions: Rename or move topic - rename a topic - cans links in current web only
- More topic actions: Rename or move topic - move a topic from one web to another.
- More topic actions: Rename or move topic - move a topic from a root web to a subweb
- More topic actions: Copy topic
- More topic actions: Child topics in Myweb web - view a topic from where you have created new topics with ?-mark links. Check that you see a list of topics.
- More topic actions: Backlinks - Find topics that link to X in all public webs - check a topic that has another topic linking to it in same web.
- More topic actions: Backlinks - Find topics that link to X in all public webs - check a topic that has another topic linking to it in several webs.
- More topic actions: Cancel out
- Change language - User interface localization must be enabled in configure. Check back and forth to different languages and navigate to check the language is sticking between pages views and edit save.
- Jump field - top bar - Enter a prefix that several topics have. Check that it suggests these topics
- Search field - top bar - Search for words you know are in several topics
- Personal web left bar - check that you can login and logout - TemplateLogin
- Personal web left bar - check that you can login - ApacheLogin. Note you cannot in practical logout when using ApacheLogin
- WebCreateNewTopic - web left bar - check that you can create a new topic with this link
- WebTopicList - web left bar - check that you see all topic in alphabetical order
- WebSearch - web left bar - Search for something you know it should find via this link
- WebChanges - web left bar - Verify that it lists last changed topics newest at the top
- WebNotify - web left bar - check the link leads to correct topic
- WebStatistics - web left bar - check you get to statistics for current web
- WebPreferences - web left bar - Check that you see the WebPreferences topic for current web
In the following tests we assume that you have at least two form definition topics and that the forms are activated in
WebPreferences. The forms should be constructed the first time you test so they meet the test descriptions.
- Edit a topic and add a form and save
- Edit the topic and fill out the form and save
- Edit a topic and replace the form and save.
- Edit a topic with hidden fields in form. Verify that fields are hidden in view (attribute H) and visible when editing.
- Edit a topic with a mandatory field in form (attribute M). Do not put anything in the mandatory field. Verify that Foswiki complains if you try to save without a value. Provide a value and verify the data is saved.
- Edit a topic with a form with all types of fields.
- View a topic with a form. Then click the small edit link next to the form name. Verify that you can edit and save the form without seeing the topic text while editing.
- View a topic with a form. Click on the form name. You should now see the form definition topic.
For the next test you are assumed to have a web with at least one formatted search wiki application. Use Kenneth's OSS project in a Web if you do not have one.
- Create new topics using HTML form submission topics
- Verify that formatted searches work and the listings look normal
- Submit an HTML form that creates a new topic calling edit script and method get
- Submit an HTML form that creates a new topic calling save script and method get - This is supposed to fail!
- Submit an HTML form that creates a new topic calling edit script and method post
- Submit an HTML form that creates a new topic calling savescript and method post
Testing many of the small applications hidden in System documentation
- Test that BulkResetPassword works by resetting passwords for some test accounts
- Test that ChangeEmailAddress works by changing your own email address
- Test that ChangePassword works by changing your own password
- Test that you can create a new FAQ topic using the form on FrequentlyAskedQuestions
- Test that you can reset a password for an account using ResetPassword
- Test that you can see changed topics listed for different time intervals on SiteChanges
- Test that you can make a new tip topic with TipsOfTheDayAddNew
- Test that the TopicDoesNotExistViewTemplate works. Write a topic name of a non exising topic in the Jump field and hit enter. You now see the TopicDoesNotExistViewTemplate. Try and create the new topic.
- Test that you can create a new user form. Go to UserForm and perform the two steps using the submit buttons. Form first and then template. When done you must check that Main.UserForm and Main.NewUserTemplate have been created.
TestCases
- Run the manual test cases in the TestCases web.
- Run the automatic test cases in the TestCases web
Testing plugins
- Test that no plugin fail in InstalledPlugins
- Test that pages using CommentPlugin still accepts comments submitted. Try a few types of comments
- Test that EditTablePlugin cannot be lured to saving data with method GET using specially crafted simple web page
- Test that you cannot create or save a topic using an image tag with a URL to save script and parameter text
- Test EditTablePlugin using the manual test cases in the TestCases web for table tests.
So noone can say we did not do a careful walkthrough to ensure that this dramatic but needed fix has not been tested.
Hopefully it will now only be badly made extensions and people's own applications with method="get" and save as target that fails now.
--
KennethLavrsen - 19 Apr 2009
Just re-opened because I forgot to revert a "fix" I did on the release branch. As it's only for unit tests, it's no big deal, but I'd rather keep it in here than create a new bug entry.
--
OlivierRaginel - 30 Apr 2009