some updates about the recent hole
parent
886adf9f9f
commit
0e445d62d2
|
@ -356,9 +356,12 @@ allow the security hole to be exploited.
|
|||
## javascript insertion via uris
|
||||
|
||||
The htmlscrubber did not block javascript in uris. This was fixed by adding
|
||||
a whitelist of valid uri types, which does not include javascript.
|
||||
a whitelist of valid uri types, which does not include javascript. Some
|
||||
urls specifyable by the meta plugin could also theoretically have been used
|
||||
to inject javascript; this was also blocked.
|
||||
|
||||
This hole was discovered on 10 February 2008 and fixed the same day
|
||||
with the release of ikiwiki 2.31.1. A fix was also backported to Debian etch,
|
||||
as version 1.33.4. I recommend upgrading to one of these versions if your
|
||||
wiki can be edited by third parties.
|
||||
with the release of ikiwiki 2.31.1. (And a few subsequent versions..)
|
||||
A fix was also backported to Debian etch, as version 1.33.4. I recommend
|
||||
upgrading to one of these versions if your wiki can be edited by third
|
||||
parties.
|
||||
|
|
Loading…
Reference in New Issue