Merges from trunk; Item11458: changes to move password file existance…

… check to =configure= Item11591: validation check improvements Item9569: plugin handlers test

git-svn-id: http://svn.foswiki.org/branches/Release01x01@14292 0b4bb1d4-4e5a-0410-9cc4-b2b747904278

UnitTestContrib/test/unit/FoswikiFnTestCase.pm

@@ -66,6 +66,11 @@ sub loadExtraConfig {
     $Foswiki::cfg{RCS}{AutoAttachPubFiles}  = 0;
     $Foswiki::cfg{Register}{AllowLoginName} = 1;
     $Foswiki::cfg{Htpasswd}{FileName}    = "$Foswiki::cfg{WorkingDir}/htpasswd";
+    unless ( -e $Foswiki::cfg{Htpasswd}{FileName} ) {
+        my $fh;
+        open( $fh, ">", $Foswiki::cfg{Htpasswd}{FileName} ) || die $!;
+        close($fh) || die $!;
+    }
     $Foswiki::cfg{PasswordManager}       = 'Foswiki::Users::HtPasswdUser';
     $Foswiki::cfg{Htpasswd}{GlobalCache} = 0;
     $Foswiki::cfg{UserMappingManager}    = 'Foswiki::Users::TopicUserMapping';

UnitTestContrib/test/unit/PluginHandlerTests.pm

@@ -285,7 +285,7 @@ sub commonTagsHandler {
 }
 sub afterCommonTagsHandler {
     #my( $text, $topic, $theWeb, $meta ) = @_;
-    $tester->assert_matches(/(Tropic|IncludedTopic)/, $_[1], "TWO $_[1]");
+    $tester->assert_matches(qr/(Tropic|IncludedTopic)/, $_[1], "TWO $_[1]");
     #$tester->assert_str_equals('Werb', $_[2]);
     $tester->assert($_[3]->isa('Foswiki::Meta'));
     $tester->assert_matches( qr/Two/, $_[0]);

UnitTestContrib/test/unit/ViewFileScriptTests.pm

@@ -453,7 +453,7 @@ sub test_simple_textfile {
       $this->viewfile( "/$this->{test_web}/TestTopic1/one.txt", 1 );
 
     $this->assert_equals( "Test attachment one.txt\n", $text );
-    $this->assert_matches( qr/Content-Type: text\/plain; charset=ISO-8859-1/i,
+    $this->assert_matches( qr/Content-Type: text\/plain; charset=$Foswiki::cfg{Site}{CharSet}/i,
         $headers );
     $this->assert_matches( 'Content-Disposition: inline; filename=one.txt',
         $headers );

core/lib/Foswiki.pm

@@ -801,7 +801,14 @@ JS
 
     # SMELL: can't compute; faking content-type for backwards compatibility;
     # any other information might become bogus later anyway
-    my $hdr = "Content-type: " . $contentType . "\r\n";
+    # Validate format of content-type (defined in rfc2616)
+    my $tch = qr/[^\[\]()<>@,;:\\"\/?={}\s]/o;
+    if ($contentType =~ /($tch+\/$tch+(\s*;\s*$tch+=($tch+|"[^"]*"))*)$/oi) {
+	$contentType = $1;
+    } else {
+	$contentType = "text/plain;contenttype=invalid";
+    }
+    my $hdr = "Content-type: " . $1 . "\r\n";
 
     # Call final handler
     $this->{plugins}->dispatch( 'completePageHandler', $text, $hdr );
@@ -1047,35 +1054,28 @@ sub _isRedirectSafe {
 =begin TML
 
 ---++ ObjectMethod redirectto($url) -> $url
-Gets a redirect url from CGI parameter 'redirectto', if present on the query.
 
-If the redirectto CGI parameter specifies a valid redirection target it is
-returned; otherwise the original URL passed in the parameter is returned.
+If the CGI parameter 'redirectto' is present on the query, then will validate
+that it is a legal redirection target (url or topic name). If 'redirectto'
+is not present on the query, performs the same steps on $url.
 
-Conditions for a valid redirection target are:
-   * The target matches the linkProtocolPattern regex, and redirection
-     to the url _isRedirectSafe
-   * The target specified a topic, or a Web.Topic (redirect will be to
-     'view')
+Returns undef if the target is not valid, and the target URL otherwise.
 
 =cut
 
 sub redirectto {
     my ( $this, $url ) = @_;
-    ASSERT($url) if DEBUG;
 
     my $redirecturl = $this->{request}->param('redirectto');
-    return $url unless $redirecturl;
+    $redirecturl = $url unless $redirecturl;
+
+    return unless $redirecturl;
 
     if ( $redirecturl =~ m#^$regex{linkProtocolPattern}://#o ) {
 
         # assuming URL
-        if ( _isRedirectSafe($redirecturl) ) {
-            return $redirecturl;
-        }
-        else {
-            return $url;
-        }
+        return $redirecturl if _isRedirectSafe($redirecturl);
+	return;
     }
 
     # assuming 'web.topic' or 'topic'
@@ -1088,7 +1088,7 @@ sub redirectto {
     my @attrs = ();
     push( @attrs, '#' => $anchor ) if $anchor;
 
-    return $this->getScriptUrl( 1, 'view', $w, $t, @attrs );
+    return $this->getScriptUrl( 0, 'view', $w, $t, @attrs );
 }
 
 =begin TML

core/lib/Foswiki/Configure/Checkers/Htpasswd/LockFileName.pm

@@ -25,6 +25,65 @@ sub check {
 
     ($f) = $f =~ m/(.*)/;     # Untaint needed to prevent a failure.
 
+    unless ( -e $f ) {
+	# lock file does not exist; check it can be created
+	my $fh;
+	if (!open($fh, ">", $f) || !close($fh)) {
+	    $e .= $this->ERROR("$f could not be created: $!");
+	}
+    } elsif ( ! -f $f || ! -w $f ) {
+	# lock file exists but is a directory or is not writable
+	$e .= $this->ERROR( "$f is not a writable plain file. ")
+    }
+    unlink $f;
+
+    return $e;
+}
+
+1;
+__END__
+Foswiki - The Free and Open Source Wiki, http://foswiki.org/
+
+Copyright (C) 2012 Foswiki Contributors. Foswiki Contributors
+are listed in the AUTHORS file in the root of this distribution.
+NOTE: Please extend that file, not this notice.
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version. For
+more details read LICENSE in the root of this distribution.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+As per the GPL, removal of this notice is prohibited.
+# See bottom of file for license and copyright information
+package Foswiki::Configure::Checkers::Htpasswd::LockFileName;
+
+use strict;
+use warnings;
+
+use Foswiki::Configure::Checker ();
+our @ISA = ('Foswiki::Configure::Checker');
+
+sub check {
+    my $this = shift;
+    my $e    = '';
+
+    $e .= $this->showExpandedValue( $Foswiki::cfg{Htpasswd}{LockFileName} );
+
+    #NOTE:  If there are any other PasswordManagers that require .htpasswd,
+    #       they should be added to this list.
+    return $e
+      if ( $Foswiki::cfg{PasswordManager} ne 'Foswiki::Users::HtPasswdUser'
+        && $Foswiki::cfg{PasswordManager} ne
+        'Foswiki::Users::ApacheHtpasswdUser' );
+
+    my $f = $Foswiki::cfg{Htpasswd}{LockFileName};
+    Foswiki::Configure::Load::expandValue($f);
+
     unless ( -e $f ) {
 
         # lock file does not exist; check it can be created

core/lib/Foswiki/UI/ChangeForm.pm

@@ -85,10 +85,13 @@ sub generate {
     $page =~ s/%FORMLIST%/$formList/go;
 
     my $parent = $q->param('topicparent') || '';
+    $parent = Foswiki::Sandbox::untaint(
+	$parent,
+	\&Foswiki::Sandbox::validateTopicName ) if $parent;
     $page =~ s/%TOPICPARENT%/$parent/go;
-
-    my $redirectTo = $q->param('redirectto') || '';
-    $page =~ s/%REDIRECTTO%/$redirectTo/go;
+ 
+    my $redirectTo = $session->redirectto() || '';
+    $page =~ s/%REDIRECTTO%/$redirectTo/g;
 
     my $text = '';
     $text = "<input type=\"hidden\" name=\"action\" value=\"$editaction\" />"

core/lib/Foswiki/UI/Manage.pm

@@ -37,8 +37,8 @@ sub manage {
     my $action = $session->{request}->param('action');
 
     # Dispatch to action function
-    if ( defined $action ) {
-        my $method = 'Foswiki::UI::Manage::_action_' . $action;
+    if ( defined $action && $action =~ /^([a-z]+)$/i ) {
+        my $method = 'Foswiki::UI::Manage::_action_' . $1;
 
         if ( defined &$method ) {
             no strict 'refs';
@@ -578,8 +578,7 @@ s(^(?:\t|   )+\*\s+(Set|Local)\s+($Foswiki::regex{tagNameRegex})\s*=\s*?(.*)$)
         );
     }
 
-    my $viewURL = $session->getScriptUrl( 0, 'view', $web, $topic );
-    $session->redirect( $session->redirectto($viewURL) );
+    $session->redirect( $session->redirectto("$web.$topic") );
 }
 
 sub _parsePreferenceValue {
@@ -668,8 +667,7 @@ sub _action_restoreRevision {
 
     $session->{cgiQuery}->delete('action');
 
-    my $viewURL = $session->getScriptUrl( 0, 'view', $web, $topic );
-    $session->redirect( $session->redirectto($viewURL) );
+    $session->redirect( $session->redirectto( "$web.$topic" ) );
 
 }
 

core/lib/Foswiki/UI/Oops.pm

@@ -16,6 +16,14 @@ use Assert;
 
 use Foswiki ();
 
+# Module uses \w, requiring locale
+BEGIN {
+    if ( $Foswiki::cfg{UseLocale} ) {
+        require locale;
+        import locale();
+    }
+}
+
 =begin TML
 
 ---++ StaticMethod oops_cgi($session)
@@ -92,8 +100,8 @@ sub oops {
     }
     $tmplName ||= 'oops';
 
-    # Item5324: Filter out < and > to block XSS
-    $tmplName =~ tr/<>//d;
+    # Item5324: Filter to block XSS
+    $tmplName =~ s/[^\w,.\/]//g;
 
     # Do not pass on the template parameter otherwise continuation won't work
     $query->delete('template');

core/lib/Foswiki/UI/Register.pm

@@ -101,6 +101,14 @@ sub register_cgi {
     }
     elsif ( $action eq 'resetPassword' ) {
 
+        if ( !$session->inContext("passwords_modifyable") ) {
+            throw Foswiki::OopsException(
+                'attention',
+                web   => $session->{webName},
+                topic => $session->{topicName},
+                def   => 'passwords_disabled'
+		);
+	}
         # resetpasswd calls checkValidationKey - don't check it here
         require Foswiki::UI::Passwords;
         Foswiki::UI::Passwords::resetpasswd($session);
@@ -297,7 +305,8 @@ sub _registerSingleBulkUser {
         # Add the user to the user management system. May throw an exception
         my $cUID = $users->addUser(
             $row->{LoginName}, $row->{WikiName},
-            $row->{Password},  $row->{Email}
+            $session->inContext("passwords_modifyable") ? $row->{Password} : undef,
+	    $row->{Email}
         );
         $log .=
 "$b1 $row->{WikiName} has been added to the password and user mapping managers\n";
@@ -744,22 +753,18 @@ sub addUserToGroup {
         );
     }
 
-    unless ( $query->param('redirectto') ) {
-        throw Foswiki::OopsException(
-            'attention',
-            status => 200,
-            def    => 'added_users_to_group',
-            web    => $web,
-            topic  => $topic,
-            params => [ join( ', ', @succeeded ), $groupName ]
-        );
-    }
-    else {
-        $session->redirect(
-            $session->redirectto(
-                $session->getScriptUrl( 1, 'view', $web, $topic )
-            )
-        );
+    my $url = $session->redirectto();
+    unless ( $url ) {
+	throw Foswiki::OopsException(
+	    'attention',
+	    status => 200,
+	    def    => 'added_users_to_group',
+	    web    => $web,
+	    topic  => $topic,
+	    params => [ join( ', ', @succeeded ), $groupName ]
+	    );
+    } else {
+	$session->redirect( $url );
     }
 }
 
@@ -836,22 +841,18 @@ sub removeUserFromGroup {
         );
     }
 
-    unless ( $query->param('redirectto') ) {
-        throw Foswiki::OopsException(
-            'attention',
-            status => 200,
-            def    => 'removed_users_from_group',
-            web    => $web,
-            topic  => $topic,
-            params => [ join( ', ', @succeeded ), $groupName ]
-        );
-    }
-    else {
-        $session->redirect(
-            $session->redirectto(
-                $session->getScriptUrl( 1, 'view', $web, $topic )
-            )
-        );
+    my $url = $session->redirectto();
+    unless ( $url ) {
+	throw Foswiki::OopsException(
+	    'attention',
+	    status => 200,
+	    def    => 'removed_users_from_group',
+	    web    => $web,
+	    topic  => $topic,
+	    params => [ join( ', ', @succeeded ), $groupName ]
+	    );
+    } else {
+	$session->redirect( $url );
     }
 }
 
@@ -890,7 +891,8 @@ sub _complete {
 
     my $users = $session->{users};
     try {
-        unless ( defined( $data->{Password} ) ) {
+        unless ( !$session->inContext("passwords_modifyable") ||
+		 defined( $data->{Password} ) ) {
 
             # SMELL: should give consideration to disabling
             # $Foswiki::cfg{Register}{HidePasswd} though that may
@@ -908,7 +910,8 @@ sub _complete {
 
         my $cUID = $users->addUser(
             $data->{LoginName}, $data->{WikiName},
-            $data->{Password},  $data->{Email}
+            $session->inContext("passwords_modifyable") ? $data->{Password} : undef,
+	    $data->{Email}
         );
         my $log = _createUserTopic( $session, $data );
         $users->setEmails( $cUID, $data->{Email} );

core/lib/Foswiki/UI/Rest.pm

@@ -277,9 +277,10 @@ sub rest {
             throw Foswiki::EngineException( 404, $err, $res );
         }
 
-        $nurl = $session->getScriptUrl( 1, 'view', '', $endPoint );
+        $nurl = $session->getScriptUrl( 1, 'view', $web, $topic );
         $nurl .= $epParms if ($epParms);
     }
+
     if ( defined($nurl) ) {
         $session->redirect($nurl);
     }

core/lib/Foswiki/UI/Save.pm

@@ -483,8 +483,7 @@ WARN
                 \&Foswiki::Sandbox::validateTopicName );
             last if ( $session->topicExists( $w, $t ) );
         }
-        my $viewURL = $session->getScriptUrl( 1, 'view', $w, $t );
-        $session->redirect( $session->redirectto($viewURL), undef, 1 );
+        $session->redirect( $session->redirectto("$w.$t"), undef, 1 );
 
         return;
     }
@@ -541,10 +540,9 @@ WARN
     }
     else {
 
-      # redirect to topic view or any other redirectto specified as an url param
-        $redirecturl =
-          $session->redirectto(
-            $session->getScriptUrl( 1, 'view', $web, $topic ) );
+	# redirect to topic view or any other redirectto
+	# specified as an url param
+        $redirecturl = $session->redirectto( "$web.$topic" );
     }
 
     if ( $saveaction eq 'quietsave' ) {