You are here: Foswiki>Tasks Web>Item9292 (06 Jul 2015, GeorgeClark)Edit Attach

Item9292: UI responses to Nosuchweb (403) and Nosuchtopic (404) don't make sense

pencil
Priority: Normal
Current State: Closed
Released In: 1.1.0
Target Release: minor
Applies To: Engine
Component:
Branches:
Reported By: SvenDowideit
Waiting For: Foswiki:Main.SvenDowideit
Last Change By: GeorgeClark
  1. so http://localhost/bin/view/Nosuchweb returns 403
  2. http://localhost/bin/view/Sandbox/Nosuchtopic returns 404
  3. http://localhost/bin/viewfile/Sandbox/Nosuchtopic returns 404

similar issues wrt viewfile - including that viewfile exposes if an attachment exists

eg
  1. http://localhost/bin/viewfile/Sandbox/TopicExistsButViewIsDenied/ExistingAttachment.txt redirects to login
  2. http://localhost/bin/viewfile/Sandbox/TopicExistsButViewIsDenied/NonExistingAttachment.txt 404's

that last eg is a security issue we should think about.

I would like to add tests for each of Nosuchweb and Nosuchtopic to UIFnCompileTests - so that we know all the scripts are consistent

-- SvenDowideit - 09 Jul 2010

I've added some of the tests, but i'm not sure we'll fix this for 1.1

-- SvenDowideit - 13 Jul 2010

Your viewfile test was a failed attempt... It has to be called through some verify, so that the fixup function sets the UI_FN variable. But anyway, digging into this, it exposes a real genuine bug:
  • When one calls viewfile on something like: /viewfile/NonExistingWeb/SomeTopic, the viewfile code will loop through the path to find the webname. As none of it is a valid webname, it will end up undefined, but it is never checked. There is a check that the topic cannot be null, but not the web. I could easily duplicate the oops exception for non-existing topic, to return the same for non-existing webs.

What do you think?
  • Cdot: your analysis sounds reasonable. I'm not a big fan of adding more complexity to viewfile, but if it can be made more robust at a low cost, so much the better.

So I'll start hacking smile

-- OlivierRaginel - 13 Jul 2010

Ok, fixed one bug, and changed the comments so it more reflects what Sven's brilliant mind was up to there (me hopes) smile

-- OlivierRaginel - 13 Jul 2010

this should be looked at futher in 1.1.1

-- SvenDowideit - 14 Sep 2010

No work in years. Marking this closed. Open a new task if issues still exist.

-- GeorgeClark - 06 Jul 2015
 

ItemTemplate edit

Summary UI responses to Nosuchweb (403) and Nosuchtopic (404) don't make sense
ReportedBy SvenDowideit
Codebase trunk
SVN Range
AppliesTo Engine
Component
Priority Normal
CurrentState Closed
WaitingFor Foswiki:Main.SvenDowideit
Checkins distro:12cf5626685d distro:ba9bf21296e4 distro:5457828553e8
TargetRelease minor
ReleasedIn 1.1.0
CheckinsOnBranches
trunkCheckins
masterCheckins
ItemBranchCheckins
Release01x01Checkins
Edit  | Attach | Print version | History: r11 < r10 < r9 < r8 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r11 - 06 Jul 2015, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy