Revision [1701]

This is an old revision of WikkaBugs made by DarTar on 2004-10-06 16:38:07.

 

Bugs/Issues discovered in Wikka!


Related pages:
  • for issues related to Wikka layout refer to: WikkaCSS
 


Security bug in UserSettings (minor)
[Moved this back up again and edited since as of 1.1.5.3 it's only half fixed: only one of the assignments has been changed into a comparison operator. Sorry, I should have noticed before]
The file actions/usersettings.php contains a function for a logged in user to change their password; looking at the code, the apparent intention is to verify the user's current password before accepting the new one:
Line 35:
<?php ...
    else if (($user["password"] = md5($_POST["oldpass"])) || ($user["password"] == $_POST["oldpass"]))
?>

Unfortunately, this test always succeeds since it does an assignment instead of a comparison - and since the boolean operator is OR (
) it doesn't matter if the second term is (now) a comparison: just the single assignment in the first term will make it always evaluate as TRUE. This presents a security risk in (semi) public situations where someone might "take over" a logged-in user's account. The code should be corrected as:
<?php ...
    else if (($user["password"] == md5($_POST["oldpass"])) || ($user["password"] == $_POST["oldpass"]))
?>

-- JavaWoman

Email Addresses
Found several issues with how email addresses are validated / accepted / used; outlined on WikkaAndEmail - and I'm working on solutions. (Email is complicated and there's a whole bunch of standards (RFCs) involved.)

First part of the solutions now in WikkaEmailToolkit; while the toolkit is still incomplete, what's there now can be used as presented there (no dependencies on later components).
-- JavaWoman


I'm being picky here (again!). I've noticed that the double-click edit event is used on the BODY tag. One issue I've experienced is that while entering a comment, I couldn't double-click a word (to highlight and replace it) without triggering the edit screen. My suggestion is to put it on the DIV class="page" tag. -- Sam


Bugs I've found:
  • There are two related bugs in the productionised code. WikiName and WikiPage need to be created to "complete" the group of default pages. If you can't be bothered to create them, register them in WantedPages by default please. Deeper analysis shows that WikiPage is meant to be uncreated by default, my apologies. WikiName is found on UserSettings (when you don't enter a valid username) and FormattingRules by default.
  • I think defaulting to "Public" ownership would be more beneficial than Nobody. Nobody allows anyone to gain ACL rights to main pages if the proper setup steps are not taken. This is a major security issue and should have been addressed when the "Public" role was created.
    • This is not a security issue within the context of a wiki. Wikis are supposed to be open by design. In addition, admins can change ownership whenever they want. However, personally I agree with your point, and this will be considered for a future release. - JsnX
  • I mean, I can't even figure out how to get the file uploader running! Let alone figure out whether it's been implemented! I can see the files.php page, but where does it get executed?? Oops apparently, it's {{files}}, I'm an idiot! But let's see some documentation for this! Btw, the default uploads directory is not created in installation (is this a security precaution?).
  • Security: I was wondering whether it would be possible to store IPs for registered users as well. That way you can ban them via .htaccess if necessary.
    • Last known IP or every IP they ever connect from? I'd be willing to store one last known IP per user. - JsnX
    • Last known IP please :) Thanks. - Sam
    • I'd suggest adding *two* distinct fields to wikka_users: Last Login IP/Hostname + Last Login Time - DarTar
    • I was also thinking of a way to ban users directly from the wiki (much in the same way as referrers are added to the blacklist of spammers). This might turn out easier to implement than a user deleting action (which was one of the ideas discussed UserAdmin here) - DarTar


  • Security: Single-click restore of previous versions (without copying/pasting).
    • Yes, this will be implemented at some point. - JsnX
    • I should point out that there is an alternative to copying/pasting.
      • Go to the revisions page.
      • Click the date and time link that you would like to revert back to.
      • Click the 'Re-edit this old revision' button.
      • Click the 'Store' button.
  • There are surrounding "[]" bits in Page History which are suppose to display the edit notes. These should be removed if the note is empty.
    • Yup. This will be fixed. - JsnX

Thanks - Sam

I'm actually not sure if this is a Wikka Bug or not, but I'll put it out there. If the Character Set encoding in Internet Explorer 6 is set to Unicode (UTF-8) the Wikiedit Toolbar does not display and a JavaScript Runtime Error occurs on the page. (You have to doubleclick the little yellow exclamation point icon in the bottom left corner to see the actual error message.) If you right click in the page, select encoding, and change the encoding to Western European (ISO), then the Wikiedit Toolbar appears. If I configure the Default CharSet to be iso-8859-1 in my httpd.conf file, then everything works fine. If I set the default charset to be UTF-8, then I get the error. Is this normal behavior with UTF-8 encoding? -- RichardTerry


  • When I want to write { with my keyboard, the javascript is supposing I was typing Ctrl+Shift+4, so it encloses the actual line by ===. The same ennoying happens for ~, # and [. [DotMG]
    • Can you give me some more detail on this one. I'm not sure what you mean or how to replicate the bug. -- JsnX 5/27/04
    • Is anyone else seeing this? -- JsnX 5/29/04
    • I have a french azerty keyboard, and to type {, I combine keys Alt Gr and 4. But when I try this inside the box, I have my line enclosed with ===, as I typed Ctrl + Shift + 4, and the character { doesn' t appear as expected! It's because of Javascript.[DotMG]
    • I'm not encountering any problems with my swedish keyboard. Can use the full range of Alt Gr symbols: @£$?{[]}\. -- JockeAndersson 6/1/04



CategoryDevelopment
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki