Revision [1678]

This is an old revision of WikkaBugs made by JavaWoman on 2004-10-06 06:13:38.

 

Bugs/Issues discovered in Wikka!


Security bug in UserSettings (minor)
[Moved this back up again and edited since as of 1.1.5.3 it's only half fixed: only one of the assignments has been changed into a comparison operator. Sorry, I should have noticed before]
The file actions/usersettings.php contains a function for a logged in user to change their password; looking at the code, the apparent intention is to verify the user's current password before accepting the new one:
Line 35:
<?php ...
    else if (($user["password"] = md5($_POST["oldpass"])) || ($user["password"] == $_POST["oldpass"]))
?>

Unfortunately, this test always succeeds since it does an assignment instead of a comparison - and since the boolean operator is OR (
) it doesn't matter if the second term is (now) a comparison: just the single assignment in the first term will make it always evaluate as TRUE. This presents a security risk in (semi) public situations where someone might "take over" a logged-in user's account. The code should be corrected as:
<?php ...
    else if (($user["password"] == md5($_POST["oldpass"])) || ($user["password"] == $_POST["oldpass"]))
?>

-- JavaWoman

Email Addresses
Found several issues with how email addresses are validated / accepted / used; outlined on WikkaAndEmail - and I'm working on solutions. (Email is complicated and there's a whole bunch of standards (RFCs) involved.)

First part of the solutions now in WikkaEmailToolkit; while the toolkit is still incomplete, what's there now can be used as presented there (no dependencies on later components).
-- JavaWoman


Strikethrough seems to highlight the selected text like this instead of striking through it. Looks like Wikka uses the deletions class from wikka.css instead of the strikethrough class.
.strikethrough {color: #888; text-decoration: line-through;}
.deletions {color: #876; background-color: #FFCC99;}


--RichardTerry

See also my note on markup of diff pages in the SuggestionBox! -- JavaWoman


I'm being picky here (again!). I've noticed that the double-click edit event is used on the BODY tag. One issue I've experienced is that while entering a comment, I couldn't double-click a word (to highlight and replace it) without triggering the edit screen. My suggestion is to put it on the DIV class="page" tag. -- Sam


Is there a reason why missing pages are marked through <a href="..."><span class="missingpage">Page name</span></a> instead of <a class="missingpage">Page name</a>? This makes control on hover behavior difficult.
-- DarTar


Bugs I've found:
  • Something dodgy has been done to this site's header.php. The code to extract document titles from the downloaded version is MUCH different from what you are showing here. Take a look at the document titles on HtmlAreaEditing and GmBowen. That's code in there! What's going on? This issue has been addressed in 1.1.5.1 via Mod040fSmartPageTitles. However the regex pattern needs to refined to avoid code samples (e.g. GmBowen)
  • There are two related bugs in the productionised code. WikiName and WikiPage need to be created to "complete" the group of default pages. If you can't be bothered to create them, register them in WantedPages by default please. Deeper analysis shows that WikiPage is meant to be uncreated by default, my apologies. WikiName is found on UserSettings (when you don't enter a valid username) and FormattingRules by default.
  • I think defaulting to "Public" ownership would be more beneficial than Nobody. Nobody allows anyone to gain ACL rights to main pages if the proper setup steps are not taken. This is a major security issue and should have been addressed when the "Public" role was created.
    • This is not a security issue within the context of a wiki. Wikis are supposed to be open by design. In addition, admins can change ownership whenever they want. However, personally I agree with your point, and this will be considered for a future release. - JsnX
  • I mean, I can't even figure out how to get the file uploader running! Let alone figure out whether it's been implemented! I can see the files.php page, but where does it get executed?? Oops apparently, it's {{files}}, I'm an idiot! But let's see some documentation for this! Btw, the default uploads directory is not created in installation (is this a security precaution?).
  • Security: I was wondering whether it would be possible to store IPs for registered users as well. That way you can ban them via .htaccess if necessary.
    • Last known IP or every IP they ever connect from? I'd be willing to store one last known IP per user. - JsnX
    • Last known IP please :) Thanks. - Sam
    • I'd suggest adding *two* distinct fields to wikka_users: Last Login IP/Hostname + Last Login Time - DarTar
    • I was also thinking of a way to ban users directly from the wiki (much in the same way as referrers are added to the blacklist of spammers). This might turn out easier to implement than a user deleting action (which was one of the ideas discussed UserAdmin here) - DarTar


  • Security: Single-click restore of previous versions (without copying/pasting).
    • Yes, this will be implemented at some point. - JsnX
    • I should point out that there is an alternative to copying/pasting.
      • Go to the revisions page.
      • Click the date and time link that you would like to revert back to.
      • Click the 'Re-edit this old revision' button.
      • Click the 'Store' button.
  • There are surrounding "[]" bits in Page History which are suppose to display the edit notes. These should be removed if the note is empty.
    • Yup. This will be fixed. - JsnX

Thanks - Sam

I'm actually not sure if this is a Wikka Bug or not, but I'll put it out there. If the Character Set encoding in Internet Explorer 6 is set to Unicode (UTF-8) the Wikiedit Toolbar does not display and a JavaScript Runtime Error occurs on the page. (You have to doubleclick the little yellow exclamation point icon in the bottom left corner to see the actual error message.) If you right click in the page, select encoding, and change the encoding to Western European (ISO), then the Wikiedit Toolbar appears. If I configure the Default CharSet to be iso-8859-1 in my httpd.conf file, then everything works fine. If I set the default charset to be UTF-8, then I get the error. Is this normal behavior with UTF-8 encoding? -- RichardTerry


  • When I want to write { with my keyboard, the javascript is supposing I was typing Ctrl+Shift+4, so it encloses the actual line by ===. The same ennoying happens for ~, # and [. [DotMG]
    • Can you give me some more detail on this one. I'm not sure what you mean or how to replicate the bug. -- JsnX 5/27/04
    • Is anyone else seeing this? -- JsnX 5/29/04
    • I have a french azerty keyboard, and to type {, I combine keys Alt Gr and 4. But when I try this inside the box, I have my line enclosed with ===, as I typed Ctrl + Shift + 4, and the character { doesn' t appear as expected! It's because of Javascript.[DotMG]
    • I'm not encountering any problems with my swedish keyboard. Can use the full range of Alt Gr symbols: @£$?{[]}\. -- JockeAndersson 6/1/04



Resolved bugs



XHTML not valid
Also in actions/usersettings.php: the state for "on" checkboxes is generated as 'checked'; to be valid XHTML such a boolean attribuet needs to be written as 'checked="checked"'.
JavaWoman


Both bugs are now fixed, and will be in the next release. Thanks! - JsnX



I've discovered a weird sort of bug. When I attempt to create a page whose name contains the string CategoriesExplained, I get a 403 error on wikka.php (no re-writing enabled) when I attempt to preview or store this information. I was trying to create a page named WikiCategoriesExplained on my site (attempting to replace the irritatingly named WikiCategory). I've managed to replicate this bug on this site (click CategoriesExplained here then click Preview. -- Sam
It's not really a Wikka bug. Edit the .htaccess in your root Wikka directory. Remove the word sex from within the line that starts with 'SetEnvIfNoCase'. I've taken care of this for the next release. - JsnX

  • ACLs bug (reproduced here - SdfdsfaSdasd): when you change the read access to "!*" (stop all), the only way to revert this back to "*" is:
    • Give rights to a new user (so ACL for read access says "ban all, but allow access for SdfdsfaSdasd")
    • Save ACL
  • Another ACL bug: you can't changed ownership of a page to Nobody. This may be because of the Not Null aspect of the tables, but frankly, it's quite irritating! I have removed this option from my own installation of acl.php.


2) The WantedPages page uses the linking_to query-string. The character preceding this should be a "?" if URL re-writing is enabled, but a "&" if not. For example, if I use the default wikka.php?wikka=WantedPages?linking_to=TestMe, this will attempt to create a new page. This bug may be already addressed at Mod032bModRewrite, but frankly, I can't understand it.


  • the new tab conversion in the formatters/wakka.php replaces not only four successive space characters with a tab, but any whitespace which a tab itself used to be one. replace the metachar "\s" in the square brackets with a real space like this:
$text = preg_replace("/\n[ ]{4}/", "\n\t", $text);

then program listings with levels indented four and more times will be rendered correctly again.

    • Yup. That's originally how I had it, but then mucked it up for some reason. Resolved in 1.1.4.1. Thanks for pointing it out. -- JsnX


  • Homepage is not CSS valid -- Fixed.

  • Mod_rewrite : I'm waiting for 1.1.4, but This is a bug I found at 1.1.0 : every Rewrite directive in each .htaccess file should be enclosed in <IfModule mod_rewrite.c>, </IfModule>; because if you just add IfModule in ./.htaccess, no image, no js, no css will be downloaded because the server will send an http 500 error. So, what you are saying is that the .htaccess file in the root directory is okay, but I need to add the Ifmodule conditional to the other .htaccess files in the css, image, and wikiedit2 directories as follows? ...
Yes! (You can try to disable mod_rewrite by commenting the corresponding LoadModule in httpd.conf)
More about Mod_rewrite : take a look at FaviconDotIco and RobotsDotTxt [DotMG]
<IfModule mod_rewrite.c>
RewriteEngine off
</IfModule>


Version Wikka Wakka Wiki 1.0.4:
    • Acknowledged. -- JsnX 5/27/04 ..... Fixed in Wikka 1.0.5. -- JsnX 5/29/04


bug in redesigned acl-handling?


am i wrong or does the $wakka->hasaccess routine (v. 1.1.3) only check the user-rights against the present page, regardless if the parameter $tag is set or not? i haven't had a closer look, but as i understood, the check against $this->acls[$privilege."_acl"] only returns the right value, if $tag == $this->tag and else should be passed over to the loadacl-function as wakka did. -- DreckFehler

  • Fixed in 1.1.3.1 and above. -- JsnX



formatters don't care about diff-tags

none of the formatters which are triggered by the %%double-percent tag%% observes the tags that are inserted by the diff-engine, although the main-formatter wakka.php delegates all rendering to these formatters. an example is shown here:

http://wikka.jsnx.com/FeedbackAction/diff?a=828&b=792

just search for "pound" or "++" on that page.

in most cases this issue can be solved by a simple str_replace. an exception is the php-highlighter. see the link below for a solution.

but fixing that problem rises another! i'm unhappy with the "++" tag used by the diff-engine to mark deletions. the double-plus is also the increment operator of php (and other languages) and can't be distiguished from the diff-tags. this problem is addressed in the following sample code too:

http://mindwiki.de/wikka_bug_-_formatters_to_care_about_diff-engine/diff?a=387&b=384

that page might be an example what this bugfix is good for, but it also shows up the limits. naturally the sample-code contains those diff-tags which it is dealing with. that obviously screws up the diff-engine again. so take care not only to paste-n-copy the code snippets from the link above ;)

  • Fixed in 1.1.3.3 and above. -- JsnX

Interwiki is broken

Interwiki links are broken if they are not CamelCased, like WikiPedia:Albert_Einstein will not work, but WikiPedia:CamelCase would. Wikipedia heavily relays on FreeLinks, which converts "Albert Einstein" to "Albert_Einsten". --DavidCollantes

Password change problem

If spaces are entered on passwords, it does not works and no feedback is given to users. I tried on the "Change Password" part, not on the new user registration. --DavidCollantes



CategoryDevelopment
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki