Disable CamelCase in the entire page

[Datto <da...@laposte.net>]

Hi All,

Is there an option to disable CamelCase in an entire page ?

Thanks in advance.
Regards,
Datto

Re: Security question on SET

[Janne Jalkanen <Ja...@ecyrd.com>]

> On the other hand, I've been so far unable to locate in the code where
> this takes place. There's the no-no list on what is permitted to be
> revealed (via 'get'), and I can find handleMetadata() in the parser
> (which seems to expand any variables via the VariableManager's
> expandVariables() method and then simply set them for the page, but I
> can't find any actual filter or filter list. If you can tell me where
> this happens I might be able to this week document it on the
> jspwiki.org site.

It happens whenever a class is instantiated which uses some of this  
information.  For example, JSPWikiMarkupParser.initialize().

/Janne

Re: Security question on SET

[Murray Altheim <mu...@altheim.com>]

Janne Jalkanen wrote:
>> Has anyone does this already? Or is there an understanding that there
>> are no security issues here? (I'm thinking of things like permitting
>> HTML parsing for a single page, etc.  -- there might be others more
>> subtle.)
> 
> In short: yes.  Only a subset of properties, deemed safe, are allowed to 
> override the jspwiki.properties.  These aren't unfortunately really 
> documented anywhere. :-/

Janne,

Thanks very much -- I had kinda thought that such an obvious security
hole wouldn't have been able to survive so many versions of the code,
so it's reassuring to know that there is a filter in place.

On the other hand, I've been so far unable to locate in the code where
this takes place. There's the no-no list on what is permitted to be
revealed (via 'get'), and I can find handleMetadata() in the parser
(which seems to expand any variables via the VariableManager's
expandVariables() method and then simply set them for the page, but I
can't find any actual filter or filter list. If you can tell me where
this happens I might be able to this week document it on the
jspwiki.org site.

Cheers,

Murray

...........................................................................
Murray Altheim <murray07 at altheim.com>                           ===  = =
http://www.altheim.com/murray/                                     = =  ===
SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk               = =  = =

       Boundless wind and moon - the eye within eyes,
       Inexhaustible heaven and earth - the light beyond light,
       The willow dark, the flower bright - ten thousand houses,
       Knock at any door - there's one who will respond.
                                       -- The Blue Cliff Record

Re: Security question on SET

[Janne Jalkanen <Ja...@ecyrd.com>]

> Has anyone does this already? Or is there an understanding that there
> are no security issues here? (I'm thinking of things like permitting
> HTML parsing for a single page, etc.  -- there might be others more
> subtle.)

In short: yes.  Only a subset of properties, deemed safe, are allowed  
to override the jspwiki.properties.  These aren't unfortunately  
really documented anywhere. :-/

/Janne

Security question on SET

[Murray Altheim <mu...@altheim.com>]

 From a message sent into jspwiki-users:
>> Is there an option to disable CamelCase in an entire page ?
>
Janne Jalkanen responded:
> Sure there is!
> 
> For the whole wiki: put the following in the jspwiki.properties (make
> sure you only have one copy of the setting, though ;-).
> 
> jspwiki.translatorReader.camelCaseLinks = false
> 
> For a single page, put the following on the page:
> 
> [{SET jspwiki.translatorReader.camelCaseLinks=false}]

After reading this message it occurred to me that if it is possible
to alter any of the wiki's property settings via a SET command, we
might want to systematically go through the set of properties and
determine if there are any security or wiki-wide functionality issues
(which of course makes them related to security) that we might want
to either flag and/or prohibit from being set by users.

Has anyone does this already? Or is there an understanding that there
are no security issues here? (I'm thinking of things like permitting
HTML parsing for a single page, etc.  -- there might be others more
subtle.)

Murray

...........................................................................
Murray Altheim <murray07 at altheim.com>                           ===  = =
http://www.altheim.com/murray/                                     = =  ===
SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk               = =  = =

       Boundless wind and moon - the eye within eyes,
       Inexhaustible heaven and earth - the light beyond light,
       The willow dark, the flower bright - ten thousand houses,
       Knock at any door - there's one who will respond.
                                       -- The Blue Cliff Record

Re: Disable CamelCase in the entire page

[Janne Jalkanen <ja...@iki.fi>]

> Is there an option to disable CamelCase in an entire page ?

Sure there is!

For the whole wiki: put the following in the jspwiki.properties (make
sure you only have one copy of the setting, though ;-).

jspwiki.translatorReader.camelCaseLinks = false

For a single page, put the following on the page:

[{SET jspwiki.translatorReader.camelCaseLinks=false}]

/Janne