[Home]WikiBugs/PossibleToCreatePagesThatCanNotBeEdited

UseModWiki | WikiBugs | RecentChanges | Preferences
Fixed in 1.0.1 --MarkusLude

It is possible to create pages in UseMod 1.0 that can not be edited if FreeLinks are enabled (which is the default configuration). Unfortunately, at least one spammer appears to be exploiting this bug to create un-editable WikiSpam. The bug is triggered by directly submitting an HTTP POST request to the wiki with a non-normalized page id (such as an all lowercase page id). UseMod will consider this a request to create a page with a non-normalized page id. Subsequently the non-normalized page title will be visible via the index action and Recent Changes, the page can be browsed by direct URL, but any attempt to edit the page will actually be performed on a different page - namely the page identified by the normalized version of the page id. For example, if this bug is exploited to create a page named test, any attempt to edit the page will actually change the page named Test.

If necessary I can create pages on this wiki that explicitly demonstrate this bug. However, that is unconformtably close to vandalism, enough so that I am unwilling to do so without the permission of this wiki's administrator.

I propose that this bug be fixed by changing the beginning of the DoPost? subroutine from... 

sub DoPost {
  my ($editDiff, $old, $newAuthor, $pgtime, $oldrev, $preview, $user);
  my $string = &GetParam("text", undef);
  my $id = &GetParam("title", "");
  my $summary = &GetParam("summary", "");
  my $oldtime = &GetParam("oldtime", "");
  my $oldconflict = &GetParam("oldconflict", "");
  my $isEdit = 0;
  my $editTime = $Now;
  my $authorAddr = $ENV{REMOTE_ADDR};

  if (!&UserCanEdit($id, 1)) {
    # This is an internal interface--we don't need to explain
    &ReportError(Ts('Editing not allowed for %s.', $id));
    return;
  }
... to ... 
  sub DoPost {
    my ($editDiff, $old, $newAuthor, $pgtime, $oldrev, $preview, $user);
    my $string = &GetParam("text", undef);
    my $id = &GetParam("title", "");
    my $summary = &GetParam("summary", "");
    my $oldtime = &GetParam("oldtime", "");
    my $oldconflict = &GetParam("oldconflict", "");
    my $isEdit = 0;
    my $editTime = $Now;
    my $authorAddr = $ENV{REMOTE_ADDR};
  
    #Bug fix: the following three lines fix the "uneditable page" bug
    if ($FreeLinks) {
      $id = &FreeToNormal($id);
    }
    if (!&UserCanEdit($id, 1)) {
      # This is an internal interface--we don't need to explain
      &ReportError(Ts('Editing not allowed for %s.', $id));
      return;
    }

-- RichardP

I've added a formal patch description at WikiPatches/UneditablePageBugFix that describes a fix for this bug. -- RichardP
UseModWiki | WikiBugs | RecentChanges | Preferences
Edit text of this page | View other revisions | Search MetaWiki
Last edited October 22, 2007 3:25 pm by MarkusLude (diff)
Search: