Fossil Forum

Fix bug in wikiappend
Login

Fix bug in wikiappend

Fix bug in wikiappend

(1) By anonymous on 2021-10-18 09:35:49 [source]

/wikiappend uses the mimetype passed via the mimetype url parameter in the resulting manifest. This is a problem as it allows changing the mimetype of a page via append i.e. one can append markdown to a fossil wiki page and the entire page becomes type markdown (also works with all other combinations). This leads to the previous part of the page not being rendered correctly anymore. I don't think changing the mimetype through append should be possible, so this patch simply uses the mimetype of the wikipage and ignores the mimetype url parameter in the !Sandbox case. In addition it removes a superfluous return and redirects to /home if the manifest cannot be fetched. Maybe the !g.anon.ApndWiki check should be moved up to prevent excessive work.

Index: src/wiki.c
==================================================================
--- src/wiki.c
+++ src/wiki.c
@@ -1596,14 +1596,15 @@
   int rid = 0;
   int isSandbox;
   const char *zPageName;
   const char *zUser;
   const char *zMimetype;
   int goodCaptcha = 1;
   const char *zFormat;
+  Manifest *pWiki = 0;
 
   login_check_credentials();
   zPageName = PD("name","");
   zMimetype = wiki_filter_mimetypes(P("mimetype"));
   if( check_name(zPageName) ) return;
   isSandbox = is_sandbox(zPageName);
   if( !isSandbox ){
@@ -1614,40 +1615,41 @@
       " ORDER BY mtime DESC", zTag
     );
     free(zTag);
     if( !rid ){
       fossil_redirect_home();
       return;
     }
+    pWiki = manifest_get(rid, CFTYPE_WIKI, 0);
+    if( !pWiki ){
+      fossil_redirect_home();
+      return;
+    }
+    zMimetype = wiki_filter_mimetypes(pWiki->zMimetype);
   }
   if( !g.perm.ApndWiki ){
     login_needed(g.anon.ApndWiki);
     return;
   }
   if( P("submit")!=0 && P("r")!=0 && P("u")!=0
    && (goodCaptcha = captcha_is_correct(0))
   ){
     char *zDate;
     Blob cksum;
     Blob body;
     Blob wiki;
-    Manifest *pWiki = 0;
 
     blob_zero(&body);
     if( isSandbox ){
       blob_append(&body, db_get("sandbox",""), -1);
       appendRemark(&body, zMimetype);
       db_set("sandbox", blob_str(&body), 0);
     }else{
       login_verify_csrf_secret();
-      pWiki = manifest_get(rid, CFTYPE_WIKI, 0);
-      if( pWiki ){
-        blob_append(&body, pWiki->zWiki, -1);
-        manifest_destroy(pWiki);
-      }
+      blob_append(&body, pWiki->zWiki, -1);
       blob_zero(&wiki);
       db_begin_transaction();
       zDate = date_in_standard_format("now");
       blob_appendf(&wiki, "D %s\n", zDate);
       blob_appendf(&wiki, "L %F\n", zPageName);
       if( fossil_strcmp(zMimetype, "text/x-fossil-wiki")!=0 ){
         blob_appendf(&wiki, "N %s\n", zMimetype);
@@ -1664,19 +1666,20 @@
       blob_appendf(&wiki, "W %d\n%s\n", blob_size(&body), blob_str(&body));
       md5sum_blob(&wiki, &cksum);
       blob_appendf(&wiki, "Z %b\n", &cksum);
       blob_reset(&cksum);
       wiki_put(&wiki, rid, wiki_need_moderation(0));
       db_end_transaction(0);
     }
+    manifest_destroy(pWiki);
     cgi_redirectf("wiki?name=%T", zPageName);
   }
   if( P("cancel")!=0 ){
+    manifest_destroy(pWiki);
     cgi_redirectf("wiki?name=%T", zPageName);
-    return;
   }
   style_set_current_page("%T?name=%T", g.zPath, zPageName);
   style_set_current_feature("wiki");
   style_header("Append Comment To: %s", zPageName);
   if( !goodCaptcha ){
     @ <p class="generalError">Error: Incorrect security code.</p>
   }
@@ -1704,14 +1707,15 @@
   @ <br />
   @ <input type="submit" name="preview" value="Preview Your Comment" />
   @ <input type="submit" name="submit" value="Append Your Changes" />
   @ <input type="submit" name="cancel" value="Cancel" />
   captcha_generate(0);
   @ </form>
   style_finish_page();
+  manifest_destroy(pWiki);
 }
 
 /*
 ** WEBPAGE: whistory
 ** URL: /whistory?name=PAGENAME
 **
 ** Additional parameters:

(2) By Stephan Beal (stephan) on 2021-10-18 10:26:47 in reply to 1 [link] [source]

/wikiappend uses the mimetype passed via the mimetype url parameter in the resulting manifest.

You might be the only person who actually uses the append feature. That is an ancient, ancient bug which has never been reported before.

In addition it removes a superfluous return and redirects to /home if the manifest cannot be fetched.

i think those particular returns are more of a documentation thing, as not all readers of the code will know offhand that the call before it does not return.

Maybe the !g.anon.ApndWiki check should be moved up to prevent excessive work.

i'll look into that while applying your fix. Expect that to hit trunk in the next hour or two.

(3) By Stephan Beal (stephan) on 2021-10-18 11:14:56 in reply to 1 [link] [source]

/wikiappend uses the mimetype passed via the mimetype url parameter in the resulting manifest.

That's now in trunk but it was also modified to outright disallow appending to the sandbox. When we reimplemented /wikiedit we removed the ability to write to the sandbox from the web interface and the long-neglected-/wikiappend has been an unfortunate back door into that capability since then. Additionally, the display of "formatted as (MIMETYPE)" was incorrect for text/plain pages and that's been fixed.

Thank you for the patch!