distributedINFORMATION.com

I was having a discussion with someone on IRC about how TWiki is vulnerable to Cross-site scripting and Cross-site request forgery, and we realized that there are 2 possible approaches to securing TWiki effectively (both requiring a unique magic number for all URLs):

1. add a pre process to the TWiki::UI system, requiring a valid and unique magic, and a post process step between rendering and output to the browser
2. use a small proxy system between TWiki and browsers to add and validate the magic

1. is actually still risky as all scripts still are able to output directly to the browser using a =print= statement, thus giving the user urls that may not have a necessary magic in the url, or similarly for AddOns that persist in not using resthandlers.

whereas 2. abstracts the security from the application server, in much the same way as it is for ssl - goodness all round.

So - I wonder if there is such a proxy already?

There are also massive performance reasons why you should always have a proxy between browsers and heavy application servers like TWiki - this too could do with filling out.Securing TWiki is not as simple as converting all actions to POST (ie using proper REST / HTTP) because there are too many legacy conveniences, allowing GET URL’s to act upon the data. But, by delegating the securing of the transactions to an external wrapper, I think we can avoid these flaws.
see Wikipedia on Cross Site Scripting and Cross-site request forgery

(test post using Gnome Webog poster)

The last fortnight, I’ve been working on creating a new, soon to be released to web 2.0 ‘Beta’ site based on TWiki 4.2.0. That means that I’ve been busy finding, reporting and fixing Bugs for TWiki 4.2.1.

The list todate are:

Item5455 BuildContrib doesn’t cope with larger numbers of files Closed 15 Apr 2008 - 04:34 SvenDowideit

Item5536 robots.txt is missing some obvious scripts - like login Waiting for Release 14 Apr 2008 - 08:43 SvenDowideit

Item5535 IF{”$BANNER” does not really work. Waiting for Release 14 Apr 2008 - 06:49 SvenDowideit

Item5534 missing contexts for several bin scripts Waiting for Release 14 Apr 2008 - 06:25 SvenDowideit

Item5533 tmpl login script does not do writeCompletePage, so it does not get addToHEAD bits. Waiting for Release 14 Apr 2008 - 05:10 SvenDowideit

Item5513 update TalkContrib topic Closed 11 Apr 2008 - 06:19 SvenDowideit

Item5509 IF & query String matching may be incorrectly greedy. Waiting for Release 11 Apr 2008 - 01:55 SvenDowideit

Item5501 IF allows does not work correctly if the topic does not exist. Waiting for Release 11 Apr 2008 - 01:41 SvenDowideit

Item5510 initial version of TalkContrib Closed 09 Apr 2008 - 08:11 SvenDowideit

Item5499 TWiki::UI::Resister::changePassword sends login, not cUID to TWiki::Users::setPassword Waiting for Release 04 Apr 2008 - 02:24 SvenDowideit

Item5496 Conclusion: Turn off UTF-8 test case until bug is fixed (4.2 branch only) Waiting for Release 03 Apr 2008 - 02:06 SvenDowideit

Item5495 add twikiBroadcastMessage class div to default & classic skins Waiting for Release 03 Apr 2008 - 00:53 SvenDowideit

I have just uploaded the OpenIDUserContrib for TWiki 4.2.0. It adds OpenID login and 1.1 Attribute functionalty to TWiki.

Currently, it disables Registration, and limits authentication to OpenID users.

It has the advantage over the OpenIDAuth apache module, that it automatically requests the User’s OpenId 1.1 attributes like Name, Email address directly from their OpenID identity.

While it trusts the user’s choice of ‘FullName’ registration attribute when displaying who made changes to topics, the TWiki topic source
actually stores the authenticating OpenID URI, thus their user details will be updated from the authentication server next time they log in.

Note that TWiki Topic based Groups are not yet implemented using this Mapper.

Future directions

• add mixing of UserMappers to allow OpenID and ‘normal’ TWiki auth
• turn TWiki into an OpenID identity server
• add Safe Group definition system
• add OpenId to TWiki’s registration process (would require openid auth first, then prefill registration details from any available attributes
  • This will require re-writing of TWiki’s inbuilt registration system
• move the list of Known users and their mapping information from data/OpenIdUsers.txt to somewhere more scalable. (perhaps DBI)
  • combine the info TWiki uses persistently with the Session and other caching info OpenID11? uses

Net::OpenID11 (based on Net::JanRain::OpenID)

To make this work, I fixed the Perl bugs I found in Net::JanRain::OpenID, and renamed the resulting modules under Net::openID11 (as it is not OpenID2.0). I expect to upload these packages to CPAN some time soon.

If you want to take a look at the code - goto my Subversion repository

These Windows, OSX, Centos and Fedora Core installers are fully integrated native installers that will update your Computer with perl, apache, rcs and other tools needed to run TWiki on that platform.TWiki 4.2.0 contains many new improvements to TWiki, including a much improved Wysiwyg editor, a structured query engine, a more generic authentication system and at the same time, the Core engine is faster than the previous twiki4 releases.The TWiki installers include native installs of (only installed if not already)

1. Apache 2.2 (Windows & rpm)
2. Perl (ActiveState - Windows & native for rpm)
3. Gnu Grep (Windows only)
4. Gnu rcs (All platforms)
5. TWiki 4.2.0 Release.

Please download it, try it out and report your impressions, ideas, bugs and successes here, on TWiki.org, or in the TWiki Bugs system.

• Windows TWiki installer 4.2.0  (23MB)
• Mac OSX TWiki installer (Tiger only I don’t yet own Leopard - donations welcome) 4.2.0  (2MB)
• Centos 4&5 and Fedora Core 5&7 4.2.0  (17MB)

Another TWiki innovation brought to you by distributedINFORMATION & WikiRing.com

With the hard slog done, we’ve managed to release TWiki 4.2.0.

I will be updating and releasing the TWiki Installers, the TWiki debian package and the OpenID contrib in the next month (I need a little time to recover from the final release rush)

We’re looking forward to setting up the new release on the new Servers that were donated by Sun to the TWiki project - it’ll be fun using the DTrace probes to make TWiki faster for everyone before we start the new features for TWiki 5.0.

I’ve just updated and uploaded a bug fixing release of the popular BugsContrib TWiki application. It is a classic example of a TWikiApplication created using only TWiki core functionality.

I’m planning on updating it to use the new 4.2.0 query based SEARCH’s - but I will continue to support TWiki version 4.0.x and 4.1.x.