Joona Kannisto sent this by e-mail:
> I looked TagMePlugin page on twiki.org and came to understanding that you're primary
> maintainers of TagMePlugin. I'm developing a small TWiki plugin as a part of my studies. To get
> a better understanding how Twiki plugins work I was looking at the TagMePlugin's way to handle
> user input and discovered that it doesn't properly validate it.
> For example typing url:
> yields interesting results. Manually typing urlparameters bypasses the need for authentication so
> that you can tag any topic you are allowed to read (even with user 'guest') and you can use any tag
> you like, it doesn't even have to exist.
> Joona Kannisto
- 20 Oct 2009
This is now fixed.
Docs are updated as well. Also removed the uninviting warning on top of the topic to not edit the page.
- 25 Oct 2009
Re-opened to fix packaging issue. Also merged to 4.3 branch since this plugin is part of the TWiki release.
- 27 Oct 2009