Item7570: INCLUDE{http://THIS_SERVER/cgi-bin/view/THIS_WEB/THIS_TOPIC} brings TWiki down

TWiki::_includeUrl() needs to check if the specified URL may cause infinite loop.

Checking if the specified URL matches $this->getScriptUrl(1, 'view', $web, $topic) is not enough. Because:

1. The TWiki server might be referred to by another name
2. There might be alternative path to the topic -- e.g. /WEB/TOPIC is the canonical path but /cgi-bin/view/WEB/TOPIC works too
3. Accessing /WEB means accessing WEB.WebHome, which needs to be taken into account

For 1, new configuration parameter {UrlHostRegex} is introduced. If it's defined, check if the specified URL matches {UrlHostRegex}. If {UrlHostRegex} is not defined, {DefaultUrlHost} is used instead.

If the current page is WebHome, check if the specified URL matches m:/$web\b:. Otherwise, check if the specified URL matches m:/$web[./]$topic\b.

If both the server name and web/topic match, the call to _includeUrl() is aborted.

-- TWiki:Main/HideyoImazu - 2014-10-07

How about using $TWiki::cfg{PermittedRedirectHostUrls} instead of a new config?

-- TWiki:Main.PeterThoeny - 2014-10-07

{UrlHostRegex} seems necessary for the following reasons.

Repurposing {PermittedRedirectHostUrls} (obviously for redirect) is convoluted (TWiki administrators would be puzzled) and doesn't work sometimes. There might be a case where redirect to a different server A is permitted and also some pages of the server A is included.

Maybe initially {PermittedRedirectHostUrls} was for its own host name aliases as the following sentence is on lib/TWiki.spec. But now it is not only for that.

If your host has aliases (such as both www.twiki.org and twiki.org, and some IP addresses) you need to list them to tell TWiki that redirecting to them is OK.

TWiki:Main.HideyoImazu